Attack Vectors

Press3D (slug: press3d) versions up to and including 1.0.2 contain a Medium-severity vulnerability (CVSS 6.4) tracked as CVE-2026-1985. The issue is a stored cross-site scripting (XSS) flaw that can be introduced through the WordPress Gutenberg 3D Model block.

The key risk path is an authenticated user with Author-level access or higher creating or editing a page/post that includes a 3D model and setting the block’s link URL parameter to a malicious value. Because the plugin does not properly restrict URL schemes, an attacker can store a javascript: link.

Once placed, the malicious script is stored in your site content and can execute when someone clicks the 3D model. In practical terms, this makes the vulnerability relevant to organizations that allow multiple contributors, agencies, contractors, or internal teams to publish content using Gutenberg blocks.

Security Weakness

The weakness is rooted in insufficient input handling for the 3D model block’s link URL. Specifically, Press3D fails to sanitize and validate the URL scheme before saving it, allowing unsafe schemes such as javascript: to be stored.

This is not merely a content-quality issue; it is a security control gap. In WordPress environments, URLs that will be rendered to users should be restricted to safe, expected schemes (for example, standard web links), especially when stored in reusable blocks that may be displayed across high-traffic pages.

There is currently no known patch available. As a result, mitigation decisions should be based on business risk, exposure, and how widely Press3D is used in your publishing workflow.

Technical or Business Impacts

Stored XSS can create real business exposure because it can be used to run unwanted actions in a visitor’s browser under your brand. For marketing leaders and executives, the most likely outcomes include brand trust damage (users being redirected, shown fraudulent prompts, or experiencing suspicious behavior on your site) and campaign performance disruption (landing pages or interactive assets behaving unpredictably).

Because the vulnerability can be introduced by an authenticated Author+ account, it also elevates insider-risk and third-party publishing risk. If an attacker compromises a contributor account (or a trusted partner account), they may be able to place malicious scripts into high-visibility pages without needing admin access.

Compliance and governance teams should also consider the downstream impacts: exposure of limited user data depending on what the script is designed to collect, potential policy violations related to website integrity, and the operational cost of incident response (content audits, emergency takedowns, customer communications, and legal review). In many organizations, the most pragmatic mitigation—given “no known patch available”—may be to uninstall Press3D and replace it, especially on revenue-driving or compliance-sensitive sites.

Similar Attacks

Stored XSS in widely used web platforms has been used in the past to harm brand credibility, interfere with user journeys, and enable follow-on fraud. Examples include:

Popup Maker plugin vulnerability (Wordfence) — an example of plugin-related website scripting risk and why rapid mitigation matters.

Cross-site scripting (XSS) attack overview (Sucuri) — a practical look at how XSS impacts websites and businesses.

OWASP: Cross Site Scripting (XSS) — a canonical reference that helps frame XSS as a business and security control issue.