Cyber Posture

CVE-2025-13371

High

Published: 07 January 2026

Published
07 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0027 49.9th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress…

more

post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.

Mitigating Controls (NIST 800-53 r5)AI

SC-14 Public Access Protections good match
prevent

SC-14 directly prevents public access to security-relevant information such as full payment card details on unauthenticated endpoints like mspaylink.

AC-22 Publicly Accessible Content good match
prevent

AC-22 requires review and approval of publicly accessible content to ensure sensitive payment card details are not embedded in HTML/JS responses.

SI-15 Information Output Filtering good match
prevent

SI-15 filters information output from the system to prevent unauthorized disclosure of sensitive data like PAN and CVV in public page responses.

Security SummaryAI

CVE-2025-13371 is a sensitive information exposure vulnerability (CWE-200) affecting the MoneySpace plugin for WordPress in all versions up to and including 2.13.9. The issue arises because the plugin stores full payment card details—including primary account number (PAN), cardholder name, expiry month/year, and CVV—in WordPress post_meta using base64_encode(). These values are then embedded directly into the inline JavaScript of the publicly accessible mspaylink page without any authentication or authorization checks, exposing them in the HTML/JS response.

Unauthenticated attackers can exploit this vulnerability by knowing or guessing an order_id and accessing the mspaylink endpoint. Successful exploitation allows retrieval of complete credit card numbers and CVV codes from the page's source, enabling severe data theft and constituting a major PCI-DSS violation. The CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) reflects high confidentiality impact with network scope.

References include source code excerpts from the plugin's GitHub repository and WordPress plugin trac, highlighting lines 164 and 232 in view/mspaylink.php where the exposure occurs, along with a specific changeset that may indicate remediation efforts. Security practitioners should review these for patching details and upgrade to fixed versions if available.

Details

CWE(s)
CWE-200

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1657 Financial Theft Impact
Adversaries may steal monetary resources from targets through extortion, social engineering, technical theft, or other methods aimed at their own financial gain at the expense of the availability of these resources for victims.
attack.mitre.org →
Why these techniques?

Unauthenticated exploitation of public-facing WordPress plugin (T1190) exposes full payment card details (PAN, CVV, expiry, name), enabling financial theft (T1657).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References