CVE-2026-7421 MEDIUM

CVE-2026-7421: Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting

Vendor Passeum
Product Passeum Ticketing
Weakness CWE-79 · XSS
Published June 2, 2026
Last update June 3, 2026

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the `get_shop_url()` method returning the `shop_name` setting value without sanitization when it begins with "http", combined with insufficient validation in the `validate_shop_name()` function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the `shop_name` to an attacker-controlled URL (e.g., `https://attacker.com`), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via `wp_register_script()` and `wp_register_style()`. The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.

Explanation of Vulnerability in Simple Terms

02Summary

Passeum Ticketing versions 1.0 and earlier contain a cross-site scripting vulnerability in a network-accessible component. An attacker with high privileges can inject malicious scripts that affect other users or systems. The vulnerability requires specific conditions to exploit and has limited impact on confidentiality and integrity.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that execute in other users' browsers or affect connected systems.

Potential impact on your site

04Site Impact

Users may be exposed to malicious scripts; data integrity could be compromised for affected users.

Conditions required to exploit

05Prerequisites

Attacker must have high-level privileges in the application; specific attack conditions must be met.

Key dates

06Disclosure timeline

June 2, 2026 CVE published
June 3, 2026 Record updated