CVE Catalog

CVE-2026-10083

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

5th percentile — higher than 5% of all known CVEs

Summary

The APCu Manager WordPress plugin before version 4.5.0 fails to escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. Cache keys derived from unsanitized user input (e.g., a transient name created by an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

Risk Assessment

An attacker can hijack an administrator session, steal sensitive data, or modify the WordPress site configuration, posing a serious threat to system security and integrity.

Recommendation

Immediately update the APCu Manager plugin to version 4.5.0 or later, which includes a fix for the XSS vulnerability.

Original NVD description (English source)

The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS