We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Passeum Ticketing Plugin Vulnerability (CVE-2026-7421)

Nick Paliughi
On this page

Security Alert Summary

The Passeum Ticketing plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) in all versions up to and including 1.0. An authenticated user with Administrator-level privileges can set the plugins shop_name to an attacker-controlled URL beginning with “http”, which is returned without sanitization and causes external JavaScript and CSS from the attacker domain to be enqueued and executed on frontend pages containing Passeum Ticketing shortcodes.

CVE Details

  • CVE ID: CVE-2026-7421
  • Affected component: Passeum Ticketing plugin for WordPress
  • Affected versions: All versions up to and including 1.0
  • Published: June 3, 2026 at 12:16 AM UTC
  • Last modified: June 3, 2026 at 12:16 AM UTC
  • CVSS v3.1: Base Score 4.4 (MEDIUM) – Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
  • Authentication / Privileges / User Interaction: Network attack vector; privileges required: High (Administrator-level access); user interaction: None
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • Weakness (CWE): CWE-79 (Improper Neutralization of Input During Web Page Generation)

Technical Details

This vulnerability exists because the plugins get_shop_url() method returns the stored shop_name setting value without proper sanitization when that value begins with “http”. The plugin also uses a validate_shop_name() function that only checks for empty values and string type, which is insufficient to prevent attacker-controlled URLs.

When an attacker with Administrator-level privileges sets shop_name to a URL under their control (for example, “https://attacker.com”), the plugin calls wp_register_script() and wp_register_style() to register and enqueue assets from that external domain. Those external scripts and styles are then loaded on every frontend page that includes any Passeum Ticketing shortcode, allowing the attackers JavaScript to execute in the context of site visitors browsers.

The plugins behavior affects multisite or single-site contexts differently: the report notes this issue does not affect single-site installations where administrators already possess the unfiltered_html capability.

How This Could Impact Your Website

Consider a site with multiple users: a site owner, internal staff who manage events and content, and an external contractor who helps with event listings. If an Administrator account is manipulated or already controlled by an attacker, setting the shop_name to an attacker domain could cause malicious scripts to load on public event pages. Site visitors and contributors who view pages with the Passeum Ticketing shortcode could have their browsers execute those scripts.

Practical consequences include exposure of information accessible in the browser context (for example, form contents or session-specific data), increased risk of targeted phishing against known site contributors or subscribers, and the possibility of UI manipulation that undermines trust in your site. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, and limit Administrator privileges to trusted accounts only.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your installation.
  • Monitor site activity and logs for unusual behavior, especially changes to plugin settings or newly registered external assets.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
ARMember Premium Plugin Vulnerability (CVE-2026-5076)
Next Post
Content Visibility for Divi Builder Plugin Vulnerability (CVE-2026-1829)