CVE-2026-1985

The Press3D plugin for WordPress, in all versions up to and including 1.0.2, contains a stored cross-site scripting (XSS) vulnerability in its 3D Model Gutenberg block. The root cause is the plugin's failure to sanitize and validate the URL scheme when storing link URLs for 3D model blocks. Specifically, the plugin does not properly restrict allowed URL protocols, permitting javascript: URLs to be saved. This is a classic instance of CWE-79, where user-controllable input is not neutralized before being stored and later served to users [1].

To exploit this vulnerability, an attacker must be authenticated with at least Author-level access in WordPress. The attacker can then create or edit a post containing the 3D Model block and set the link URL parameter to a javascript: URI containing arbitrary script code. The malicious payload is stored in the database and will be rendered in the page whenever a visitor views the post. The attack requires no additional privileges beyond Author, and the victim need only click on the 3D model element to trigger the script execution.

Successful exploitation allows the attacker to inject arbitrary web scripts into pages viewed by other users. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited by the need for user interaction (a click), but the stored nature of the XSS means the payload persists across sessions and can affect multiple victims.

As of the publication date, the vulnerability is unpatched in all versions up to 1.0.2. No workaround is provided by the vendor. WordPress's built-in esc_url() function, which properly validates URL schemes and rejects javascript: protocols, was not used by the plugin [2]. Site administrators should restrict Author-level access or disable the plugin until a patched version is released.