CVE-2026-7421: Passeum Ticketing WordPress Plugin Stored XSS Vulnerability
A WordPress plugin called Passeum Ticketing contains a vulnerability that allows site administrators to inadvertently (or maliciously in compromised accounts) inject malicious scripts into a website. The plugin fails to properly validate the shop name setting, allowing an attacker with admin access to point the site to a malicious domain. When this happens, the plugin loads JavaScript and CSS files from that attacker-controlled domain, which then executes on every page of the website for all visitors. This is a stored cross-site scripting (XSS) vulnerability specific to multisite WordPress installations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the `get_shop_url()` method returning the `shop_name` setting value without sanitization when it begins with "http", combined with insufficient validation in the `validate_shop_name()` function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the `shop_name` to an attacker-controlled URL (e.g., `https://attacker.com`), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via `wp_register_script()` and `wp_register_style()`. The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from two validation failures in the Passeum Ticketing plugin. The `get_shop_url()` method returns the `shop_name` configuration value without sanitization when it begins with 'http://' or 'https://', and the `validate_shop_name()` function only performs basic checks (empty value and type validation) without verifying that the URL points to a legitimate, trusted domain. An authenticated attacker with Administrator privileges exploits this by setting the shop_name to a malicious URL. The plugin then calls `wp_register_script()` and `wp_register_style()` with that URL, causing WordPress to enqueue external resources from the attacker's domain. These resources execute in the browser context of every site visitor on any page displaying a Passeum Ticketing shortcode, achieving persistent malicious script injection.
Business impact
Compromise of a Passeum Ticketing-enabled WordPress multisite installation could result in malware distribution, credential harvesting, or defacement affecting all site visitors. Since the injected scripts run on every frontend page with a shortcode, the attack surface is broad—potentially impacting user accounts, sensitive information capture, and site reputation. The vulnerability requires admin-level access, limiting exposure to compromised admin accounts, disgruntled employees, or sites using weak administrative credentials. Single-site WordPress installations are not affected due to WordPress's built-in unfiltered_html capability for administrators.
Affected systems
Passeum Ticketing plugin for WordPress, all versions up to and including 1.0. The vulnerability is relevant only to multisite WordPress installations (WordPress Multisite mode enabled). Single-site installations are not vulnerable due to WordPress's permission model. Any WordPress multisite deployment using this plugin with administrator-role users is at potential risk.
Exploitability
Exploitation requires authenticated access with Administrator-level privileges on the WordPress multisite installation, making opportunistic external attacks unlikely. However, the attack is trivial to execute once administrative access is gained—a single configuration change to the shop_name setting is sufficient. The vulnerability is high-impact if an admin account is compromised or if a disgruntled admin intentionally injects malicious content. The attack is silent and persistent, affecting all site visitors without additional trigger conditions.
Remediation
Update the Passeum Ticketing plugin to a patched version that implements proper input validation and sanitization of the shop_name setting. Verify against the vendor's security advisory for the exact patched version number. Until a patch is available, restrict WordPress administrator role assignments to trusted users only, enforce strong authentication (multi-factor authentication), and monitor admin account activity for unauthorized configuration changes. Consider using WordPress security plugins that alert on changes to plugin settings or enqueued external resources.
Patch guidance
Consult the official Passeum Ticketing plugin repository or vendor website for the patched version addressing this vulnerability. Apply updates promptly to all affected WordPress multisite instances. Verify the patch version against the vendor's official security advisory before deploying. Test the patch in a staging environment to confirm compatibility with other plugins and themes before production deployment.
Detection guidance
Check the Passeum Ticketing plugin's shop_name configuration setting in your WordPress database (typically wp_options table for multisite networks) for any unexpected external URLs. Review network-level plugin settings and audit admin configuration changes in your WordPress audit logs if available through security plugins. Monitor frontend pages for externally loaded resources from unexpected domains using browser developer tools or security scanning services. Use server-side web application firewalls to detect and alert on requests loading scripts from untrusted external sources tied to your WordPress domain.
Why prioritize this
Although assigned a MEDIUM severity score due to requiring high-privilege authentication, this vulnerability warrants timely attention because it enables persistent malicious script injection affecting all site visitors if an admin account is compromised. Multisite WordPress deployments hosting user-facing services, e-commerce, or community content are especially at risk. The low barrier to exploitation once admin access is obtained and the potential for broad visitor impact justify prompt patching before widespread adoption of the vulnerable plugin version.
Risk score, explained
The CVSS 3.1 score of 4.4 (MEDIUM) reflects the high-privilege prerequisite (PR:H) and high attack complexity (AC:H) due to the need for administrative access and the multisite-only applicability. However, the network-wide scope (S:C) and confidentiality/integrity impact (C:L/I:L) indicate real risk. The score does not capture the scenario of a compromised admin account or insider threat, which would represent substantially higher practical risk in some environments.
Frequently asked questions
Does this affect my single-site WordPress installation?
No. WordPress administrators on single-site installations already have the unfiltered_html capability by default, so this vulnerability does not apply. Only WordPress Multisite configurations are vulnerable.
What should I do immediately if I use Passeum Ticketing on a multisite?
Audit your WordPress admin user list to ensure only trusted users have Administrator role. Verify the shop_name setting has not been set to an external URL. Enable multi-factor authentication for all admin accounts if not already in place. Then wait for and apply the patched plugin version.
Is there an active exploit in the wild?
This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, so there is no confirmed public exploit campaign at this time. However, you should treat this as a priority update given the low attack complexity once admin access is obtained.
Can I temporarily disable the Passeum Ticketing plugin until a patch is available?
Yes. Disabling the plugin removes the vulnerability surface entirely until a patched version is available and tested. This is a safe interim measure if your site cannot operate without the plugin's functionality or while awaiting vendor patches.
This analysis is based on the CVE description and CVSS assessment as of the publication date. Patch version numbers and specific vendor remediation steps should be verified against the official Passeum plugin repository and vendor security advisory. SEC.co does not provide legal or compliance advice; organizations should assess risk in the context of their specific deployments and regulatory requirements. No exploit code or weaponized proof-of-concept is provided. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2025-14042MEDIUMStored XSS in Automotive Car Dealership Business WordPress Theme 13.4.1