CVE-2026-1985: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in arieslab Press3D
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
AI Analysis
Technical Summary
CVE-2026-1985 is a stored cross-site scripting vulnerability in the Press3D WordPress plugin (versions up to 1.0.2). The vulnerability arises from improper neutralization of input (CWE-79) in the 3D Model Gutenberg block, where the plugin fails to sanitize and validate the URL scheme of link URLs, permitting javascript: URLs. This allows authenticated users with Author-level privileges or higher to inject malicious scripts that execute upon user interaction with the 3D model links. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity. A patch is available to remediate this issue.
Potential Impact
An attacker with Author-level access or higher can inject arbitrary JavaScript code into pages via the 3D Model block's link URL parameter. This script executes when users click the affected 3D model, potentially leading to client-side script execution, which can compromise user sessions or perform unauthorized actions within the context of the affected site. There is no indication of exploitation in the wild at this time.
Mitigation Recommendations
A patch is available for this vulnerability. Users of the Press3D plugin should update to the latest version beyond 1.0.2 that includes the fix. Applying the official patch will properly sanitize and validate URL schemes to prevent injection of javascript: URLs. Until patched, restrict Author-level access to trusted users only to reduce risk.
CVE-2026-1985: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in arieslab Press3D
Description
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
CVSS v3.1
Score 6.4medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-1985 is a stored cross-site scripting vulnerability in the Press3D WordPress plugin (versions up to 1.0.2). The vulnerability arises from improper neutralization of input (CWE-79) in the 3D Model Gutenberg block, where the plugin fails to sanitize and validate the URL scheme of link URLs, permitting javascript: URLs. This allows authenticated users with Author-level privileges or higher to inject malicious scripts that execute upon user interaction with the 3D model links. The vulnerability has a CVSS 3.1 base score of 6.4, indicating medium severity. A patch is available to remediate this issue.
Potential Impact
An attacker with Author-level access or higher can inject arbitrary JavaScript code into pages via the 3D Model block's link URL parameter. This script executes when users click the affected 3D model, potentially leading to client-side script execution, which can compromise user sessions or perform unauthorized actions within the context of the affected site. There is no indication of exploitation in the wild at this time.
Mitigation Recommendations
A patch is available for this vulnerability. Users of the Press3D plugin should update to the latest version beyond 1.0.2 that includes the fix. Applying the official patch will properly sanitize and validate URL schemes to prevent injection of javascript: URLs. Until patched, restrict Author-level access to trusted users only to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-05T14:57:42.410Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69901aedc9e1ff5ad86893e5
Added to database: 2/14/2026, 6:49:17 AM
Last enriched: 4/9/2026, 11:25:54 AM
Last updated: 6/10/2026, 3:50:44 AM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.