Passeum Ticketing WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Passeum Ticketing plugin for WordPress, affecting all versions through 1.0. The issue arises because the 'get_shop_url()' method returns the 'shop_name' setting value without proper sanitization when it starts with 'http'. This, coupled with inadequate validation in the 'validate_shop_name()' function, which only checks for empty values and string types, allows authenticated attackers with Administrator-level access to inject arbitrary external scripts. By setting the 'shop_name' to a URL controlled by the attacker, the plugin can be made to enqueue JavaScript and CSS from that domain. The injected scripts then execute on the frontend for all visitors, but this vulnerability does not impact single-site installations as administrators have the 'unfiltered_html' capability.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator-level access can navigate to the Passeum Ticketing plugin settings. There, they can enter a URL starting with 'http' into the 'shop_name' field. After saving the settings, the plugin will enqueue scripts from the specified URL. This can be verified by visiting a page that contains a Passeum Ticketing shortcode, where the injected script will execute.

Remediation

Users are advised to update to Passeum Ticketing version 1.0.1, where this vulnerability has been fixed.