CVE-2026-1985
Stored XSS in Press3D WordPress Plugin via 3D Model Block
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| press3d | plugin | to 1.0.2 (inc) |
| arieslab | press3d | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 3D Model Gutenberg block in all versions up to and including 1.0.2.
This vulnerability occurs because the plugin fails to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing URLs with the "javascript:" scheme.
As a result, authenticated attackers with Author-level access or higher can inject arbitrary web scripts into pages through the link URL parameter. These scripts execute whenever a user clicks on the 3D model.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Author-level access or above to inject malicious scripts into your WordPress site.
When users interact with the affected 3D model blocks by clicking on them, the injected scripts will execute, potentially leading to unauthorized actions such as stealing user credentials, session hijacking, or performing actions on behalf of users.
Because the vulnerability is a Stored Cross-Site Scripting issue, the malicious code persists on the site and affects all users who interact with the compromised content.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves the Press3D WordPress plugin versions up to 1.0.2 allowing stored Cross-Site Scripting via the 3D Model Gutenberg block by accepting unsafe javascript: URLs in link URL parameters.
Detection can focus on identifying if the vulnerable Press3D plugin version is installed and if any 3D model blocks contain link URLs with javascript: schemes.
- Check the WordPress plugins directory or admin dashboard to confirm if Press3D plugin version 1.0.2 or earlier is active.
- Search the WordPress database for posts or pages containing 3D Model Gutenberg blocks with link URLs starting with "javascript:".
- Example SQL command to find suspicious URLs in post content (adjust table prefix as needed): SELECT ID, post_title FROM wp_posts WHERE post_content LIKE '%javascript:%';
- Use WP-CLI to search for such content: wp post list --post_type=page,post --field=ID | xargs -I % wp post get % --field=post_content | grep -i 'javascript:'
Network detection is less direct since this is a stored XSS triggered by user interaction, but monitoring HTTP requests or logs for suspicious payloads or unexpected javascript: URLs in 3D model blocks could help.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Update the Press3D plugin to a version later than 1.0.2 where the vulnerability is fixed, if such a version is available.
- If an update is not available, disable or deactivate the Press3D plugin to prevent exploitation.
- Manually sanitize or remove any 3D Model Gutenberg blocks containing link URLs with javascript: schemes from your WordPress content.
- Implement or enforce URL sanitization using WordPress functions like esc_url() when outputting URLs to prevent unsafe protocols.
- Restrict author-level users from adding or editing 3D Model blocks until the vulnerability is resolved.
These steps reduce the risk of stored XSS attacks by preventing injection or execution of malicious scripts via the vulnerable plugin.