The vulnerability resides in the Juicer WordPress plugin, versions up to 1.12.18, where the plugin fails to escape data returned from an external feed API before rendering it on the admin settings page. As a result, an attacker who can control the content of any connected feed can inject arbitrary HTML or JavaScript that will be executed in the browser of any site administrator when the settings page is loaded. This flaw falls under CWE‑79, a classic stored cross‑site scripting weakness that permits attackers to potentially hijack administrator sessions, deface content, or spread malware across the site. The impact is confined to the administrative interface; users who do not have administrator access would not see the injected script.

Juicer plugin for WordPress, version 1.12.18 and earlier, as distributed by saas.group. The vulnerability exists on all WordPress sites that have Juicer installed and have enabled any external feed data source. No other vendors or products are directly affected by this flaw.

The CVSS score of 5.3 rates this issue as moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalogue, indicating a lower likelihood of widespread exploitation at present. The exploit requires the attacker to gain control of at least one feed supplied to the Juicer plugin; once that control is in place, they can inject malicious script that will run automatically in the browser of any administrator who visits the settings page. The attack vector is inferred to be remote, originating from the external feed rather than from an internal user action. No privilege escalation beyond the administrator level is required to exploit the flaw, but the possible consequences for confidentiality and integrity of the site’s administrative functions justify prompt remediation.