CVE-2026-10083
APCu Manager < 4.5.0 - Unauthenticated Stored XSS via Cache Key Pollution
Description
The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.
INFO
Published Date :
June 29, 2026, 6 a.m.
Last Modified :
June 29, 2026, 6 a.m.
Remotely Exploit :
No
Source :
WPScan
Affected Products
The following products are affected by CVE-2026-10083
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Update APCu Manager plugin to 4.5.0 or later.
- Avoid using unsanitised user input for cache keys.
- Sanitize all user inputs before using them.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-10083 vulnerability anywhere in the article.