Description
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
Published: 2026-02-14
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via link URLs in the Press3D Gutenberg block
Action: Immediate Patch
AI Analysis

Impact

The Press3D plugin does not validate or sanitize the URL scheme entered for a 3D model link. This flaw lets an authenticated user with Author or higher privileges persist a value that begins with the javascript: scheme, causing arbitrary script execution when a site visitor clicks the link. The result is stored Cross‑Site Scripting that can run on every viewer’s browser.

Affected Systems

WordPress sites that have the Press3D plugin installed and are running any version up to and including 1.0.2 are affected. Any user with Author level or greater access on those sites can create or edit a 3D model block and insert the malicious URL.

Risk and Exploitability

The vulnerability carries a medium severity score of 6.4 and an exploitation probability estimate lower than 1%. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack requires authenticated access as Author or higher and involves the malicious user inserting a javascript: link into a 3D model block. Based on the description, it is inferred that the inserted script could read cookies, hijack sessions, or deface content, but those specific outcomes are not explicitly confirmed in the advisory.

Generated by OpenCVE AI on April 15, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Press3D plugin to a version that sanitizes link URLs.
  • If an upgrade is not immediately possible, restrict the ability to use the link field to administrators only and enforce server‑side validation to reject URLs with the javascript: scheme.
  • Apply WordPress’s esc_url function or equivalent output escaping to any stored link URLs to ensure only safe schemes are rendered.

Generated by OpenCVE AI on April 15, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Arieslab
Arieslab press3d
Wordpress
Wordpress wordpress
Vendors & Products Arieslab
Arieslab press3d
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
Title Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Arieslab Press3d
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:56.957Z

Reserved: 2026-02-05T14:57:42.410Z

Link: CVE-2026-1985

cve-icon Vulnrichment

Updated: 2026-02-18T20:39:19.853Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T07:16:12.320

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses