CVE-2026-53737

MEDIUM 6.1

Juicer through 1.12.18 Stored Cross-Site Scripting via Unescaped API Response

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.

CWE	CWE-79
Vendor	saas.group
Product	juicer
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for saas.group juicer

Be the first to know when new medium vulnerabilities affecting saas.group juicer are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

saas.group / Juicer

0 ≤ 1.12.18

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordpress.org: https://wordpress.org/plugins/juicer/ vulncheck.com: https://www.vulncheck.com/advisories/juicer-through-stored-cross-site-scripting-via-unescaped-api-response

Credits

Scott Moore - VulnCheck