Kannika Khongpan

**Name of the Vulnerable Software and Affected Versions** MoneySpace plugin for WordPress versions prior to 2.13.9 **Description** The MoneySpace plugin for WordPress exhibits a sensitive information exposure issue. The plugin stores complete payment card details – including Primary Account Number (PAN), cardholder name, expiry date, and Card Verification Value (CVV) – in WordPress post metadata using base64 encoding. These details are then embedded directly into the JavaScript of the publicly accessible `mspaylink` page without any authentication or authorization. This allows unauthenticated attackers who know or can guess an order ID to access the `mspaylink` endpoint and retrieve full credit card information directly from the HTML/JS response, resulting in a significant PCI-DSS compliance violation. **Recommendations** Update the MoneySpace plugin to a version later than 2.13.9.