CVE-2025-13371
📋 TL;DR
The MoneySpace WordPress plugin exposes full payment card details including CVV codes to unauthenticated attackers. Any WordPress site using MoneySpace plugin versions up to 2.13.9 is affected, potentially exposing customer payment data in violation of PCI-DSS requirements.
💻 Affected Systems
- MoneySpace for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass credit card data breach leading to financial fraud, regulatory fines (PCI-DSS violations), reputational damage, and potential lawsuits.
Likely Case
Targeted attackers harvesting payment card data from vulnerable sites, leading to fraudulent transactions and customer notification requirements.
If Mitigated
Limited exposure if plugin is disabled or patched before exploitation, but any exposed data remains compromised.
🎯 Exploit Status
Attackers only need to guess or discover order IDs and access the mspaylink endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.14.0 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/money-space/trunk/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find MoneySpace plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.14.0+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable MoneySpace Plugin
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate money-space
Block mspaylink Endpoint
allUse web server rules to block access to the vulnerable endpoint
# Apache: RewriteRule ^.*mspaylink.*$ - [F,L]
# Nginx: location ~* mspaylink { deny all; }
🧯 If You Can't Patch
- Immediately disable the MoneySpace plugin and use alternative payment processing
- Implement web application firewall rules to block access to /mspaylink endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → MoneySpace version. If version ≤2.13.9, you are vulnerable.Check Version:
wp plugin list --name='money-space' --field=versionVerify Fix Applied:
After update, verify plugin version is 2.14.0+ and test that /mspaylink endpoint no longer exposes payment data.📡 Detection & Monitoring
Log Indicators:
- Unusual access to /mspaylink endpoints
- Multiple failed order ID guessing attempts
- Access from suspicious IPs to payment-related URLs
Network Indicators:
- HTTP GET requests to */mspaylink* with order_id parameters
- Traffic patterns suggesting order ID enumeration
SIEM Query:
source="web_access_logs" AND uri="*mspaylink*" AND (status=200 OR status=302)🔗 References
- https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164
- https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232
- https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232
- https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232
- https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve
