CVE-2025-13371

Name of the Vulnerable Software and Affected Versions MoneySpace plugin for WordPress versions prior to 2.13.9

Description The MoneySpace plugin for WordPress exhibits a sensitive information exposure issue. The plugin stores complete payment card details – including Primary Account Number (PAN), cardholder name, expiry date, and Card Verification Value (CVV) – in WordPress post metadata using base64 encoding. These details are then embedded directly into the JavaScript of the publicly accessible mspaylink page without any authentication or authorization. This allows unauthenticated attackers who know or can guess an order ID to access the mspaylink endpoint and retrieve full credit card information directly from the HTML/JS response, resulting in a significant PCI-DSS compliance violation.

Recommendations Update the MoneySpace plugin to a version later than 2.13.9.