CVE-2026-1985 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Press3D plugin for WordPress, specifically affecting the 3D Model Gutenberg block in all versions up to and including 1.0.2. The root cause is the plugin's failure to properly sanitize and validate the URL scheme when storing link URLs associated with 3D model blocks. This allows an authenticated user with Author-level privileges or higher to inject arbitrary JavaScript code by supplying a crafted `javascript:` URL. When any user subsequently clicks on the 3D model containing the malicious link, the injected script executes in the context of the victim's browser, potentially leading to session hijacking, data theft, or further exploitation within the affected site. The vulnerability requires the attacker to have authenticated access with at least Author privileges, which limits the attack surface to internal or trusted users but does not require additional user interaction beyond clicking the link. The CVSS v3.1 base score is 6.4, reflecting medium severity due to network exploitability, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, and no patches are currently linked, indicating the need for proactive mitigation. The vulnerability is classified under CWE-79, highlighting improper neutralization of input during web page generation. This issue is particularly relevant for WordPress sites leveraging the Press3D plugin for embedding interactive 3D models, which are increasingly used in e-commerce, education, and marketing sectors.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web applications using the Press3D plugin. Attackers with Author-level access can inject malicious scripts that execute in the browsers of site visitors or other users, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. This can result in data breaches, reputational damage, and loss of customer trust. Since the vulnerability requires authenticated access, it is particularly concerning for organizations with multiple content contributors or less stringent access controls. The exploitation could also facilitate lateral movement within the organization’s web infrastructure or enable further attacks such as phishing or malware distribution. Given the widespread use of WordPress in Europe and the growing adoption of interactive 3D content, the vulnerability could affect sectors including e-commerce, media, education, and digital marketing. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

European organizations should immediately audit their WordPress installations to identify the use of the Press3D plugin, particularly versions up to 1.0.2. Until an official patch is released, administrators should restrict plugin usage to trusted users only and review user roles to minimize the number of users with Author-level or higher privileges. Implement strict input validation and sanitization on URL fields associated with 3D model blocks, either via custom code or security plugins that enforce URL scheme restrictions disallowing `javascript:` and other dangerous schemes. Employ Content Security Policy (CSP) headers to limit the execution of inline scripts and untrusted sources, reducing the impact of potential XSS payloads. Monitor logs for unusual activity related to 3D model links and user interactions. Educate content authors about the risks of inserting untrusted URLs. Once a patch or update is available from the vendor, apply it promptly. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS attempts in plugin-specific parameters. Regularly review and update user access controls and conduct security awareness training to reduce insider threats.