MoneySpace WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the MoneySpace plugin for WordPress, affecting all versions through 2.13.9. The issue arises because the plugin stores full payment card details, including the primary account number (PAN), cardholder name, expiration date, and CVV, in the WordPress post_meta. This information is encoded in base64 and embedded into the publicly accessible mspaylink page's inline JavaScript without any authentication or authorization checks. As a result, unauthenticated attackers who know or can guess an order_id can access the mspaylink endpoint and retrieve full credit card numbers and CVV codes from the HTML/JS response, violating PCI-DSS regulations.

Impact

Exploitation of this vulnerability allows unauthenticated access to sensitive payment card information, including full credit card numbers and CVV codes, directly from the response of the mspaylink endpoint.

Reproduction

To reproduce this vulnerability, an unauthenticated user must access the mspaylink page and embed the order_id in the request. The response will include the payment card details stored in the post_meta, including the card number, expiration date, and CVV.

Remediation

No known patch is available. It is recommended to uninstall the affected plugin and find a replacement.