CVE-2026-7421
Description
The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the get_shop_url() method returning the shop_name setting value without sanitization when it begins with "http", combined with insufficient validation in the validate_shop_name() function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the shop_name to an attacker-controlled URL (e.g., https://attacker.com), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via wp_register_script() and wp_register_style(). The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the unfiltered_html capability.
Affected products
1- Range: <=1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `get_shop_url()` method returns the `shop_name` setting without sanitization, and `validate_shop_name()` only checks for empty values."
Attack vector
An authenticated attacker with Administrator-level access can set the `shop_name` option to an attacker-controlled URL, such as `https://attacker.com` [ref_id=1]. This causes the plugin to enqueue external JavaScript and CSS from the attacker's domain via `wp_register_script()` and `wp_register_style()` [ref_id=1]. The injected scripts will then execute on any frontend page that includes a Passeum Ticketing shortcode, affecting all site visitors [ref_id=1].
Affected code
The vulnerability lies within the `register_assets()` method of the Passeum Ticketing plugin. Specifically, the `get_shop_url()` method is called with the `shop_name` setting, and its return value is used directly in `wp_register_style()` and `wp_register_script()` [ref_id=1, ref_id=2, ref_id=3, ref_id=4]. The `validate_shop_name()` function, which is responsible for validating this setting, does not perform adequate sanitization.
What the fix does
The patch is not provided in the bundle. The advisory indicates that the vulnerability is due to insufficient validation in the `validate_shop_name()` function and the `get_shop_url()` method not sanitizing the `shop_name` setting. Remediation guidance would typically involve sanitizing the `shop_name` input to prevent the inclusion of external scripts.
Preconditions
- authAttacker must have Administrator-level access or higher.
- configThe Passeum Ticketing plugin must be installed and configured.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- plugins.trac.wordpress.org/browser/passeum-ticketing/tags/1.0/inc/settings.phpnvd
- plugins.trac.wordpress.org/browser/passeum-ticketing/tags/1.0/passeum-ticketing.phpnvd
- plugins.trac.wordpress.org/browser/passeum-ticketing/tags/1.0/passeum-ticketing.phpnvd
- plugins.trac.wordpress.org/browser/passeum-ticketing/trunk/inc/settings.phpnvd
- plugins.trac.wordpress.org/browser/passeum-ticketing/trunk/passeum-ticketing.phpnvd
- plugins.trac.wordpress.org/browser/passeum-ticketing/trunk/passeum-ticketing.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/48363f1f-dae8-4efa-824f-098550245ca3nvd
News mentions
1- WordPress: 25 Plugin and Theme Vulnerabilities Disclosed in Single BatchVypr Intelligence · Jun 3, 2026