APCu Manager < 4.5.0 – Unauthenticated Stored XSS via Cache Key Pollution | CVE 2026-10083

Description

The plugin does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another plugin from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page.

Proof of Concept

The PoC will be displayed on July 08, 2026, to give users the time to update.

Affects Plugins

apcu-manager

Fixed in 4.5.0

References

CVE

CVE-2026-10083

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CWE-79

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Alessandro Greco aka Aleff, Giovanbattista Ianni (University of Calabria - UNICAL)

Submitter

Alessandro Greco aka Aleff

Submitter website

https://aleff-gitlab.gitlab.io/

Verified

Yes

WPVDB ID

e591b3f3-6e21-44f7-b374-4753689532fe

Timeline

Publicly Published

2026-06-08 (about 21 days ago)

Added

2026-06-08 (about 20 days ago)

Last Updated

2026-06-27 (about 1 day ago)

Other

Published

Title

Published

2023-03-13

Title

Robo Gallery < 3.2.13 - Contributor+ Stored XSS

Published

2023-04-16

Title

WPML Multilingual CMS < 4.6.1 - Reflected Cross-Site Scripting

Published

2024-09-30

Title

Zotpress < 7.3.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2022-04-04

Title

Amr Users < 4.59.4 - Admin+ Stored Cross-Site Scripting

Published

2025-02-18

Title

Responsive Flickr Slideshow < 2.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting