The APCu Manager WordPress plugin, versions prior to 4.5.0, fails to escape cache keys before displaying them in an admin page. This flaw permits a stored cross‑site scripting vulnerability. A malicious user can inject arbitrary JavaScript by creating an unsanitized cache key—typically through a transient name generated by an unauthenticated request—and when an administrator later views the affected admin‑area page, the injected script executes in the administrator's browser session.

WordPress sites running the APCu Manager plugin older than version 4.5.0 with a persistent APC object‑cache enabled are affected. Any site that uses another instance of the APCu Manager plugin or any plugin that can create transient names without sanitization before 4.5.0 also falls within the risk, because the unsanitized cache key can be stored and later rendered by the vulnerable plugin.

The vulnerability requires an attacker to supply an unsanitized cache key that will be stored in a persistent object cache and later rendered on an admin‑area page. Exploitation therefore is feasible only when an attacker can influence the cache key and an administrator visits the page. The EPSS score of <1% and CVSS score of 7.5 indicate a high severity level but a low likelihood of exploitation. Nevertheless, the ability to execute arbitrary JavaScript in an administrator's browser presents a moderate to high risk for affected installations. Since the vulnerability is not listed in the CISA KEV catalog, there is currently no evidence of widespread exploitation, but the flaw remains a serious concern for any WordPress site relying on the vulnerable plugin.