Unrated

Stored XSS in APCu Manager WordPress plugin admin cache-key view

IdentifiersCVE-2026-10083CWE-79

CVE-2026-10083 is a stored cross-site scripting vulnerability in the APCu Manager WordPress plugin before version 4.5.0. The plugin fails to properly escape APCu object-cache keys before rendering them in an administrative page. In deployments where a persistent object cache is enabled, cache keys can be derived from unsanitized user-controlled input, such as a transient name created from an unauthenticated request by another vulnerable APCu Manager plugin path. Those attacker-influenced keys are then stored and later displayed without output encoding in the admin interface, causing arbitrary JavaScript to execute when an administrator views the affected page.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows execution of arbitrary JavaScript in the browser session of an authenticated WordPress administrator who visits the affected APCu Manager admin page. This can enable theft of session tokens or nonces, unauthorized administrative actions performed in the victim's context, modification of site settings or content, creation of rogue administrator accounts, and broader compromise of the WordPress instance depending on available admin capabilities and installed defenses.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable access to the APCu Manager administrative page and, where feasible, disable the plugin temporarily. Clear the persistent object cache/APCu store to remove malicious keys already written. Restrict who can trigger creation of transients or cache keys from user input, and reduce exposure of unauthenticated functionality that can influence cache key names. Standard browser-side controls such as CSP may reduce impact but should not be relied upon as a substitute for patching.

Remediation

Patch, then assume compromise.

Upgrade the APCu Manager WordPress plugin to version 4.5.0 or later, which addresses the improper escaping of APCu object-cache keys before rendering them in the admin interface. After upgrading, review and clear existing APCu/object-cache entries and any attacker-controlled transient names that may persist in cache storage to remove previously injected payloads.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

8 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-10083

NVD

nvd.nist.gov/vuln/detail/CVE-2026-10083

MITRE CWE · CWE-79

cwe.mitre.org