Description
The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the `get_shop_url()` method returning the `shop_name` setting value without sanitization when it begins with "http", combined with insufficient validation in the `validate_shop_name()` function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the `shop_name` to an attacker-controlled URL (e.g., `https://attacker.com`), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via `wp_register_script()` and `wp_register_style()`. The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
Published: 2026-06-02
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Passeum Ticketing plugin allows an authenticated user with administrator privileges to store a malicious script by setting the shop_name option to a value beginning with "http". Because the plugin outputs the shop_name without sanitization, the script is executed on every front‑end page that uses any Passeum Ticketing shortcode. The injected script runs in the browsers of all site visitors, enabling actions such as cookie theft, session hijacking, or phishing attacks. This vulnerability is a classic stored cross‑site scripting flaw, classified as CWE‑79.

Affected Systems

All installations of the Passeum Ticketing WordPress plugin up to and including version 1.0 on multisite networks are affected. The issue does not occur on single‑site installations where administrators already possess the unfiltered_html capability. The vulnerable code resides in the get_shop_url() method and validate_shop_name() function of the plugin’s core files.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not currently widely exploited. However, any site that has an administrator with the ability to modify the shop_name setting is at risk, and the stored nature of the flaw means that visitors can be impacted without further interaction. An attacker must first authenticate as an administrator on a multisite network; once that prerequisite is satisfied, the attacker can inject arbitrary external scripts that are served from the attacker‑controlled domain.

Generated by OpenCVE AI on June 3, 2026 at 04:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Passeum Ticketing to the latest patched release; if one is not available, remove or disable the plugin until a fix is released.
  • Restrict administrator accounts on multisite installations, ensuring that shop_name values cannot point to external URLs or that administrators lack the ability to modify this option.
  • If upgrading is not possible, apply a custom sanitization step to the shop_name field using WordPress escaping functions (e.g., esc_url_raw) before it is stored or output.

Generated by OpenCVE AI on June 3, 2026 at 04:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Passeum
Passeum passeum Ticketing
Wordpress
Wordpress wordpress
Vendors & Products Passeum
Passeum passeum Ticketing
Wordpress
Wordpress wordpress

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the `get_shop_url()` method returning the `shop_name` setting value without sanitization when it begins with "http", combined with insufficient validation in the `validate_shop_name()` function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the `shop_name` to an attacker-controlled URL (e.g., `https://attacker.com`), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via `wp_register_script()` and `wp_register_style()`. The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
Title Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Passeum Passeum Ticketing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-03T14:07:40.856Z

Reserved: 2026-04-29T14:25:19.682Z

Link: CVE-2026-7421

cve-icon Vulnrichment

Updated: 2026-06-03T13:19:14.310Z

cve-icon NVD

Status : Received

Published: 2026-06-03T00:16:44.947

Modified: 2026-06-03T00:16:44.947

Link: CVE-2026-7421

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:19Z

Weaknesses