Stored Cross-Site Scripting in Passeum Ticketing Plugin for WordPress
CVE-2026-7421

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Passeum Ticketing
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-7421?

The Passeum Ticketing plugin for WordPress is affected by a vulnerability that allows authenticated attackers with Administrator-level access to inject malicious scripts via the shop_name setting. This issue arises from the get_shop_url() method outputting unvalidated data when the shop_name starts with 'http'. As a result, attackers can set the shop_name to a URL they control, leading to the execution of arbitrary JavaScript and CSS on any frontend page that includes Passeum Ticketing shortcodes, consequently endangering all visitors to the site. This vulnerability does not impact single-site installations as they grant administrators the unfiltered_html capability.

Affected Version(s)

Passeum Ticketing 0 <= 1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/passeum-ticket...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

KEVIN LEE

CVE-2026-7421 Data

JSON