CVE-2026-7421

The Passeum Ticketing plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.0. This is due to the get shop url() method returning the shop name setting value without sanitization when it begins with "http", combined with insufficient validation in the validate shop name() function which only checks for empty values and string type. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary external scripts by setting the shop name to an attacker-controlled URL (e.g., https://attacker.com), which causes the plugin to enqueue external JavaScript and CSS from the attacker-controlled domain via wp register script() and wp register style(). The injected scripts execute on every frontend page containing any Passeum Ticketing shortcode, affecting all site visitors. Please note that this does not affect single-site installations as administrators already have the unfiltered html capability.