Juicer < 1.11 - Contributor+ Stored XSS

Vulnerability

The Juicer WordPress plugin versions before 1.11 fail to validate and escape shortcode attributes before outputting them in a page or post where the shortcode is embedded [1]. This allows users with the contributor role and above to inject arbitrary HTML and JavaScript via crafted shortcode attributes. Affected versions: all versions prior to 1.11.

Exploitation

An attacker with contributor-level access or higher can create or edit a post/page containing the vulnerable shortcode with malicious attribute values. No additional privileges or user interaction beyond the attacker's own actions are required. The injected script will be stored and executed when any user views the affected page.

Impact

Successful exploitation leads to Stored Cross-Site Scripting (XSS), enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, defacement, or redirection to malicious sites. The attack is persistent and affects all visitors to the compromised page.

Mitigation

The vulnerability is fixed in version 1.11 of the Juicer plugin [1]. Users should update to version 1.11 or later immediately. No workarounds are documented. The plugin is not listed on CISA's Known Exploited Vulnerabilities catalog as of publication.