{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T02:08:47.213","vulnerabilities":[{"cve":{"id":"CVE-2025-13371","sourceIdentifier":"security@wordfence.com","published":"2026-01-07T12:16:47.583","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation."},{"lang":"es","value":"El plugin MoneySpace para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 2.13.9, inclusive. Esto se debe a que el plugin almacena los detalles completos de la tarjeta de pago (PAN, nombre del titular de la tarjeta, mes/año de vencimiento y CVV) en el post_meta de WordPress utilizando base64_encode(), y luego incrusta estos valores en el JavaScript en línea de la página mspaylink, que es de acceso público, sin ninguna comprobación de autenticación o autorización. Esto hace posible que atacantes no autenticados que conozcan o puedan adivinar un order_id accedan al endpoint mspaylink y recuperen números completos de tarjetas de crédito y códigos CVV directamente de la respuesta HTML/JS, lo que constituye una grave violación de PCI-DSS."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","baseScore":8.6,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":4.0}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-200"}]}],"references":[{"url":"https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164","source":"security@wordfence.com"},{"url":"https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426909%40money-space&new=3426909%40money-space&sfp_email=&sfph_mail=","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve","source":"security@wordfence.com"}]}}]}