The MoneySpace plugin for WordPress, widely used for payment processing, suffers from a critical sensitive information exposure vulnerability identified as CVE-2025-13371. The root cause is the insecure handling of full payment card details (Primary Account Number, cardholder name, expiry month/year, and CVV) which are stored in the WordPress post_meta table using base64 encoding—a reversible encoding method that provides no security. These details are then embedded directly into the inline JavaScript of the publicly accessible mspaylink page without any authentication or authorization controls. This design flaw allows any unauthenticated attacker who can guess or obtain a valid order_id parameter to access the mspaylink endpoint and retrieve full credit card details from the HTML/JavaScript response. This exposure violates PCI-DSS requirements that prohibit storage and exposure of sensitive authentication data such as CVV codes. The vulnerability has a CVSS 3.1 score of 8.6, reflecting its ease of exploitation (network accessible, no privileges or user interaction required) and severe confidentiality impact, while integrity and availability remain unaffected. Although no exploits have been reported in the wild yet, the vulnerability presents a significant risk to any WordPress site using the MoneySpace plugin, especially e-commerce sites processing payments. The lack of patch links suggests a fix is not yet publicly available, increasing urgency for mitigation through configuration changes or plugin removal. The vulnerability’s CWE classification is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).

For European organizations, this vulnerability poses a severe risk of payment card data breaches, leading to potential financial fraud, chargebacks, and loss of customer trust. Exposure of CVV and full card details can result in direct monetary theft and fraudulent transactions. Additionally, organizations face significant regulatory consequences under GDPR and PCI-DSS compliance frameworks, including heavy fines and mandatory breach notifications. The reputational damage from such a breach can also impact business continuity and customer retention. E-commerce businesses, financial service providers, and any entities processing payments via WordPress sites using the MoneySpace plugin are particularly vulnerable. The public accessibility of the sensitive data without authentication means attackers can automate attacks at scale, increasing the likelihood of exploitation. This vulnerability also undermines the security posture of organizations relying on WordPress plugins for payment processing, highlighting the need for stringent plugin security assessments.

1. Immediately disable or uninstall the MoneySpace plugin on all WordPress sites until a secure patched version is released. 2. If removal is not immediately possible, restrict access to the mspaylink endpoint using web server rules (e.g., IP whitelisting, HTTP authentication) to prevent unauthenticated access. 3. Audit WordPress databases for stored payment card data and securely delete any sensitive information stored in post_meta or elsewhere. 4. Avoid storing sensitive payment data such as CVV in any form; rely on PCI-compliant payment gateways that tokenize card data. 5. Monitor web server logs for suspicious requests targeting the mspaylink endpoint or attempts to guess order_id values. 6. Implement Web Application Firewall (WAF) rules to detect and block access patterns indicative of exploitation attempts. 7. Educate development and security teams on secure handling of payment data and compliance requirements. 8. Plan for a full security review of all payment-related plugins and custom code to prevent similar issues. 9. Stay updated with vendor announcements for patches or mitigations and apply them promptly once available.