CVE-2026-10083

APCu Manager < 4.5.0 - Unauthenticated Stored XSS via Cache Key Pollution

Assigner: WPScan
Reserved: 29.05.2026 Published: 29.06.2026 Updated: 29.06.2026

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

Product Status

Vendor	Unknown
Product	APCu Manager
Versions	Default: unaffected affected from 0 to 4.5.0 (excl.)

Vendor

Unknown

Product

APCu Manager

Versions

Default: unaffected

affected from 0 to 4.5.0 (excl.)

Credits

Alessandro Greco aka Aleff finder
WPScan coordinator

References

Problem Types

CWE-79 Cross-Site Scripting (XSS) CWE

CVE-2026-10083 PUBLISHED

APCu Manager < 4.5.0 - Unauthenticated Stored XSS via Cache Key Pollution

Product Status

Credits

References

Problem Types