A high-severity vulnerability has been identified in the MoneySpace plugin for WordPress, designated as CVE-2025-13371. This flaw allows unauthorized attackers to access sensitive information, potentially including customer data, API keys, or transaction details. Successful exploitation could lead to significant data breaches, financial loss, and reputational damage.

The MoneySpace plugin for WordPress fails to properly restrict access to sensitive data. This could be due to a debug log file being publicly accessible, an unauthenticated API endpoint exposing internal information, or improper permissions on critical files. An unauthenticated attacker can exploit this by sending a crafted HTTP request to the vulnerable endpoint or directly accessing a known file path, thereby retrieving sensitive information without requiring any privileges on the target WordPress site.

This vulnerability is rated as High severity with a CVSS score of 8.6. Exploitation could result in the compromise of confidential business and customer data, such as personally identifiable information (PII), payment credentials, and secret API keys. The consequences for the organization include direct financial loss, regulatory penalties under data protection laws (e.g., GDPR, CCPA), significant reputational harm, and the erosion of customer trust. Stolen API keys could also be used to perform fraudulent transactions or gain further access to integrated systems.

Immediate Action:

• Immediately update the MoneySpace plugin to the latest version provided by the vendor, which addresses this vulnerability.
• If the plugin is not essential for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the associated risk.
• Review web server configurations to ensure that directory listing is disabled and that file permissions are set according to security best practices.

Proactive Monitoring:

• Review historical web server access logs for any unusual requests to files or directories associated with the MoneySpace plugin, particularly from unknown IP addresses.
• Monitor outbound network traffic for signs of anomalous data exfiltration.
• Implement file integrity monitoring to detect unauthorized creation or modification of files within the plugin's directory.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to block access to the known vulnerable endpoints or files associated with the plugin.
• Restrict access to the WordPress site from untrusted IP addresses at the network or web server level.
• Ensure sensitive data, such as API keys and credentials, are regularly rotated as a precautionary measure.

Public Exploit Available: false

Given the high CVSS score of 8.6 and the critical nature of the exposed data, this vulnerability poses a significant and immediate risk to the organization. Although CVE-2025-13371 is not currently listed on the CISA KEV catalog, its severity warrants urgent attention. We strongly recommend that all instances of the vulnerable MoneySpace plugin be updated to the latest patched version immediately. If the plugin is not critical, it should be removed entirely as the most effective mitigation strategy.