CVE-2026-10083
Received Received - Intake

Stored XSS in APCu Manager WordPress Plugin

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: WPScan

Description
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-10083
EUVD
EUVD-2026-40039

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apcu_manager apcu_manager to 4.5.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The APCu Manager WordPress plugin before version 4.5.0 has a stored cross-site scripting (XSS) vulnerability. This occurs because the plugin does not properly escape APCu object-cache keys before displaying them in an admin-area page. Attackers can inject malicious JavaScript by manipulating cache keys derived from unsanitized user input, such as transient names created by another plugin through unauthenticated requests. When an administrator views the affected page, the injected script executes within their session.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the session of an administrator who views the affected admin-area page. This can lead to unauthorized actions performed with the administrator's privileges, such as stealing sensitive information, modifying site settings, or installing malicious content.

Detection Guidance

Detection of this vulnerability involves checking if the APCu Manager WordPress plugin version is prior to 4.5.0, as these versions are affected by the stored cross-site scripting issue.

Since the vulnerability arises from unsanitized cache keys being rendered in the admin area, one way to detect exploitation attempts is to monitor HTTP requests or logs for suspicious transient names or cache keys that could contain malicious JavaScript payloads.

Specific commands to detect the vulnerable plugin version or suspicious activity are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update the APCu Manager WordPress plugin to version 4.5.0 or later, where the vulnerability has been fixed by properly escaping APCu object-cache keys.

Until the update can be applied, administrators should be cautious when accessing the affected admin-area pages, especially if persistent object caching is enabled and untrusted users can create transient names or cache keys.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10083. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart