Home

Description

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

PUBLISHED Reserved 2026-06-10 | Published 2026-06-10 | Updated 2026-06-10 | Assigner VulnCheck




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Any version
affected

Credits

Scott Moore - VulnCheck finder

References

wordpress.org/plugins/juicer/ (WordPress Plugin Repository) product

www.vulncheck.com/...te-scripting-via-unescaped-api-response (VulnCheck Advisory: Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response) third-party-advisory

cve.org (CVE-2026-53737)

nvd.nist.gov (CVE-2026-53737)

Download JSON