The MoneySpace plugin for WordPress, widely used for payment processing, suffers from a critical sensitive information exposure vulnerability (CVE-2025-13371). The root cause is the insecure handling of full payment card data (PAN, cardholder name, expiry month/year, and CVV), which the plugin stores in WordPress post_meta fields using only base64 encoding—a reversible encoding method that offers no real protection. Worse, these encoded values are embedded directly into the inline JavaScript of the publicly accessible mspaylink page without any authentication or authorization checks. As a result, any unauthenticated attacker who can guess or obtain a valid order_id parameter can access this endpoint and retrieve full credit card details from the HTML/JavaScript response. This flaw violates PCI-DSS requirements that prohibit storing sensitive authentication data such as CVV and mandate strong protection of cardholder data. The vulnerability affects all versions up to and including 2.13.9 of the MoneySpace plugin. The CVSS 3.1 score of 8.6 reflects the ease of remote exploitation without authentication, the complete compromise of confidentiality, and the broad scope of affected installations. Although no exploits are currently known in the wild, the straightforward attack vector and severe data exposure risk make this a critical issue for any organization using this plugin for payment processing on WordPress sites.

The impact of this vulnerability is severe for organizations worldwide that use the MoneySpace plugin for processing payments on WordPress websites. Attackers can remotely access full credit card details, including CVV codes, without authentication, enabling fraudulent transactions, identity theft, and financial losses for customers and merchants. The exposure of sensitive payment data also leads to non-compliance with PCI-DSS standards, risking fines, legal penalties, and reputational damage. Organizations may face loss of customer trust, increased fraud monitoring costs, and potential lawsuits. Additionally, attackers could leverage the stolen data for large-scale carding attacks or sell the information on underground markets. The breach of confidentiality is total, though integrity and availability are not directly affected. The vulnerability’s ease of exploitation and the critical nature of the data exposed make it a high-risk threat to e-commerce and financial service providers using this plugin.

To mitigate this vulnerability, organizations should immediately take the following specific actions: 1) Disable or uninstall the MoneySpace plugin until a secure patched version is available. 2) If a patch is released, promptly update to the fixed version that removes storage of sensitive card data in post_meta and implements proper authentication and authorization on the mspaylink endpoint. 3) Conduct a thorough audit of all stored payment data in WordPress databases and securely purge any sensitive cardholder data stored insecurely. 4) Implement strict access controls and authentication for any payment-related endpoints or pages. 5) Avoid storing sensitive payment data such as CVV in any form; rely on PCI-compliant tokenization or third-party payment processors that handle card data securely. 6) Monitor logs for suspicious access patterns to the mspaylink page or attempts to guess order_id values. 7) Educate developers and administrators on PCI-DSS compliance requirements and secure coding practices for handling payment information. 8) Consider deploying Web Application Firewalls (WAF) with custom rules to block unauthorized access to payment endpoints until the vulnerability is remediated. 9) Notify customers and relevant regulatory bodies if a breach is suspected due to this vulnerability.