CVE-2025-13371
Published: 07 January 2026
Summary
CVE-2025-13371 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-14 directly prevents public access to security-relevant information such as full payment card details on unauthenticated endpoints like mspaylink.
AC-22 requires review and approval of publicly accessible content to ensure sensitive payment card details are not embedded in HTML/JS responses.
SI-15 filters information output from the system to prevent unauthorized disclosure of sensitive data like PAN and CVV in public page responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exploitation of public-facing WordPress plugin (T1190) exposes full payment card details (PAN, CVV, expiry, name), enabling financial theft (T1657).
NVD Description
The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress…
more
post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.
Deeper analysisAI
CVE-2025-13371 is a sensitive information exposure vulnerability (CWE-200) affecting the MoneySpace plugin for WordPress in all versions up to and including 2.13.9. The issue arises because the plugin stores full payment card details—including primary account number (PAN), cardholder name, expiry month/year, and CVV—in WordPress post_meta using base64_encode(). These values are then embedded directly into the inline JavaScript of the publicly accessible mspaylink page without any authentication or authorization checks, exposing them in the HTML/JS response.
Unauthenticated attackers can exploit this vulnerability by knowing or guessing an order_id and accessing the mspaylink endpoint. Successful exploitation allows retrieval of complete credit card numbers and CVV codes from the page's source, enabling severe data theft and constituting a major PCI-DSS violation. The CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) reflects high confidentiality impact with network scope.
References include source code excerpts from the plugin's GitHub repository and WordPress plugin trac, highlighting lines 164 and 232 in view/mspaylink.php where the exposure occurs, along with a specific changeset that may indicate remediation efforts. Security practitioners should review these for patching details and upgrade to fixed versions if available.
Details
- CWE(s)