CVE 7.5 HIGH

APCu Manager < 4.5.0 - Unauthenticated Stored XSS via Cache Key Pollution_CVE-2026-10083

7.5 / 10
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

Basic Information

ID CVE-2026-10083
Source WPScan
Published Jun 29, 2026 at 06:00
Modified Jun 29, 2026 at 12:44

Affected Product

Vendor Unknown
Product APCu Manager
Affected Versions Unknown APCu Manager 0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.