CVE-2025-13371 HIGH

CVE-2025-13371: Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure

Vendor Moneyspace

Product Money Space

Weakness CWE-200 · Info exposure

Published January 7, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.

Key dates

02Disclosure timeline

January 7, 2026 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-13371

Related vulnerabilities

CVE-2025-13371: Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure

01Description

02Disclosure timeline

03References

04Related CVE