Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

Basic Information

ID CVE-2026-53737

Source VulnCheck

Published Jun 10, 2026 at 20:39

Affected Product

Vendor saas.group

Product Juicer

Affected Versions saas.group Juicer 0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.",
    "published": "2026-06-10T20:39:42.625Z",
    "modified": "2026-06-10T20:39:42.625Z",
    "type": "cve",
    "title": "Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response",
    "source": "VulnCheck",
    "references": "https://wordpress.org/plugins/juicer/\nhttps://www.vulncheck.com/advisories/juicer-through-stored-cross-site-scripting-via-unescaped-api-response",
    "id": "CVE-2026-53737",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "saas.group Juicer 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Juicer",
    "version": "0",
    "vendor": "saas.group",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response_CVE-2026-53737