APCu Manager Plugin Stored XSS via Unescaped Cache Keys

The APCu Manager WordPress plugin versions before 4.5.0 contain a Stored Cross-Site Scripting (XSS) vulnerability where cache keys derived from user-supplied input are rendered without proper HTML escaping in administrative pages. This vulnerability is particularly dangerous because it allows attackers to inject malicious JavaScript that executes in the browser sessions of WordPress administrators—users with the highest privileges. The attack vector is indirect: an unauthenticated attacker can trigger creation of a malicious cache key (via transient names or similar mechanisms) that persists in the APCu object cache, and when an administrator views the APCu Manager admin page, the unescaped payload executes. Any WordPress installation using this plugin with persistent object caching enabled is vulnerable, potentially affecting thousands of sites that rely on APCu for performance optimization.

While this CVE lacks explicit MITRE ATT&CK mapping, Casky's security skills using Claude AI with extended reasoning would identify this vulnerability through detection of attack patterns consistent with T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter) execution chains. Practitioners using Casky would observe findings highlighting: (1) input validation gaps where cache keys accept unsanitized user data, (2) output encoding failures in template rendering of admin pages, and (3) stored payload persistence across sessions—the hallmark of stored XSS. The platform's skill library would flag the specific risk: unauthenticated request data flowing into persistent storage and later executing with administrative context, enabling account compromise or malicious admin actions without requiring prior authentication.