CVE-2026-10083: CWE-79 Cross-Site Scripting (XSS) in APCu Manager
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.
AI Analysis
Technical Summary
CVE-2026-10083 is a stored Cross-Site Scripting vulnerability in the APCu Manager WordPress plugin versions prior to 4.5.0. The vulnerability arises from the plugin's failure to escape APCu object-cache keys before rendering them in an admin-area page. When persistent object caching is enabled, an attacker can craft cache keys from unsanitized user input (such as transient names created by unauthenticated requests) that are stored and later rendered without proper escaping. This allows execution of arbitrary JavaScript in the context of an administrator's session, potentially leading to session hijacking or other malicious actions.
Potential Impact
An attacker can inject malicious JavaScript that executes in the browser session of an administrator viewing the affected admin page. This can lead to session hijacking, privilege escalation, or other attacks that rely on executing scripts in the administrator's context. The vulnerability requires that persistent object caching is enabled and that an attacker can influence cache keys stored by the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling persistent object caching or avoid using the APCu Manager plugin versions prior to 4.5.0. Monitoring for updates from the plugin vendor is recommended to apply an official fix once released.
CVE-2026-10083: CWE-79 Cross-Site Scripting (XSS) in APCu Manager
Description
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.
CVSS v3.1
Score 7.5high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-10083 is a stored Cross-Site Scripting vulnerability in the APCu Manager WordPress plugin versions prior to 4.5.0. The vulnerability arises from the plugin's failure to escape APCu object-cache keys before rendering them in an admin-area page. When persistent object caching is enabled, an attacker can craft cache keys from unsanitized user input (such as transient names created by unauthenticated requests) that are stored and later rendered without proper escaping. This allows execution of arbitrary JavaScript in the context of an administrator's session, potentially leading to session hijacking or other malicious actions.
Potential Impact
An attacker can inject malicious JavaScript that executes in the browser session of an administrator viewing the affected admin page. This can lead to session hijacking, privilege escalation, or other attacks that rely on executing scripts in the administrator's context. The vulnerability requires that persistent object caching is enabled and that an attacker can influence cache keys stored by the plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, administrators should consider disabling persistent object caching or avoid using the APCu Manager plugin versions prior to 4.5.0. Monitoring for updates from the plugin vendor is recommended to apply an official fix once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-05-29T11:32:45.577Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a42197427e9c7971969243e
Added to database: 06/29/2026, 07:06:28 UTC
Last enriched: 06/29/2026, 07:22:16 UTC
Last updated: 06/29/2026, 14:08:34 UTC
Views: 39
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.