CVE-2026-1985 in Press3D Plugin
Summary
by MITRE • 02/14/2026
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2026-1985 affects the Press3D plugin for WordPress, specifically targeting the 3D Model Gutenberg block functionality. This represents a critical security flaw that undermines the integrity of WordPress content management systems by enabling malicious actors to inject persistent cross-site scripting payloads. The vulnerability exists within the plugin's handling of URL parameters for 3D model blocks, where insufficient input validation and sanitization allows attackers to exploit the system's trust in user-supplied data. The flaw impacts all versions of the plugin up to and including version 1.0.2, making it a widespread concern for WordPress installations that utilize this specific plugin functionality.
The technical implementation of this vulnerability stems from the plugin's failure to properly sanitize URL schemes when processing link URLs for 3D model blocks. This represents a classic stored cross-site scripting vulnerability where malicious input is permanently stored within the application's database and subsequently executed whenever users interact with the affected content. The vulnerability specifically allows the injection of javascript: URLs, which can execute arbitrary code in the context of the victim's browser session. This occurs because the plugin does not validate that URLs conform to acceptable protocols or properly escape potentially dangerous input before storing it in the database. The lack of proper sanitization creates an environment where attackers can embed malicious scripts that persist across user sessions and can be triggered by simple interactions such as clicking on the 3D model.
The operational impact of this vulnerability is significant for WordPress administrators and content creators who rely on the Press3D plugin for their 3D content management. Authenticated attackers with Author-level access or higher can exploit this vulnerability to compromise user sessions, steal sensitive information, or redirect users to malicious websites. The stored nature of the XSS payload means that the attack vector remains persistent and can affect multiple users over time without requiring repeated exploitation attempts. This vulnerability particularly affects users who may not be security-savvy and could inadvertently click on compromised 3D model links, leading to widespread session hijacking or data exfiltration. The impact extends beyond individual user compromise to potentially affecting entire WordPress installations that rely on this plugin for 3D content rendering and interaction.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the sanitization and validation issues. System administrators should implement comprehensive input validation measures that enforce strict URL scheme validation and prevent the storage of javascript: or other dangerous protocols. The implementation of Content Security Policy headers can provide additional protection layers by restricting the execution of inline scripts and external content. Security monitoring should be enhanced to detect suspicious URL patterns in 3D model block parameters, and regular security audits should verify that all plugin components properly sanitize user inputs. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and represents a clear violation of secure coding practices that should be addressed through proper input validation and output encoding mechanisms. Organizations should also consider implementing principle of least privilege access controls to limit the potential impact of compromised accounts, as the vulnerability requires at least Author-level access to exploit effectively.