PT-2026-8085 · WordPress · Press3D
Athiwat Tiprasaharn
+1
·
Published
2026-02-14
·
Updated
2026-02-14
·
CVE-2026-1985
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Press3D plugin for WordPress versions up to and including 1.0.2
Description
The Press3D plugin for WordPress is susceptible to Stored Cross-Site Scripting through the 3D Model Gutenberg block. The plugin does not properly sanitize and validate URL schemes when storing link URLs for 3D model blocks, permitting the use of
javascript: URLs. This allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages via the link URL parameter. These scripts will execute when a user clicks on the 3D model.Recommendations
Update the Press3D plugin to a version beyond 1.0.2.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Press3D