Skip to main content

Juicer WordPress Plugin CVE-2026-53737

| EUVDEUVD-2026-36138 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-10 VulnCheck GHSA-59cg-pg2j-hj7m
5.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.1 MEDIUM

Network delivery via feed API; no WP privileges needed (PR:N); admin must visit settings page (UI:R); scope changes to admin browser session with low C/I impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 10, 2026 - 23:21 vuln.today

DescriptionCVE.org

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

AnalysisAI

Stored cross-site scripting in the Juicer WordPress plugin (versions through 1.12.18) allows an attacker who controls a connected social media feed source to inject arbitrary JavaScript that executes in a WordPress administrator's browser when the Juicer settings page loads. The plugin fetches remote feed API responses and renders them on the admin settings page without HTML output escaping, enabling script injection via externally controlled data. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 5.3 reflects the passive user interaction requirement limiting broad exploitation.

Technical ContextAI

Juicer is a WordPress plugin published by saas.group (CPE: cpe:2.3:a:saas.group:juicer:*:*:*:*:*:*:*:*) that aggregates and displays social media feeds on WordPress sites by consuming third-party feed APIs. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a failure to apply output encoding before inserting externally sourced data into an HTML rendering context. This is a second-order or 'stored-via-external-data' XSS pattern: rather than persisting malicious input directly in the WordPress database, the attack payload arrives through a connected feed API response at render time and is reflected unescaped into the admin DOM. The admin settings page becomes the unsafe sink where untrusted remote data is written without sanitization.

RemediationAI

No specific patched version is identified in the available data - the upstream fix version is not independently confirmed from the provided references. Administrators should monitor the official WordPress plugin page (https://wordpress.org/plugins/juicer/) and the VulnCheck advisory (https://www.vulncheck.com/advisories/juicer-through-stored-cross-site-scripting-via-unescaped-api-response) for a released fix. As an immediate compensating control, administrators can disconnect all feed sources from the Juicer plugin settings, eliminating the attack surface at the cost of disabling the plugin's core aggregation functionality. Alternatively, restricting admin dashboard access to trusted IP ranges via server or WAF-level rules reduces the window during which the settings page can be triggered by a social-engineered admin, though this does not remediate the underlying flaw. Deactivating and removing the plugin entirely is the safest interim option if feed display is not operationally critical.

Share

CVE-2026-53737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy