Atomic Edge analysis of CVE-2026-1985:
The Press3D WordPress plugin contains an authenticated stored cross-site scripting vulnerability in versions up to and including 1.0.2. This vulnerability affects the 3D Model Gutenberg block’s link URL parameter, allowing attackers with Author-level access or higher to inject malicious JavaScript payloads that execute when users click on the 3D model. The CVSS score of 6.4 reflects the moderate impact of this stored XSS vulnerability.

Atomic Edge research identified the root cause in the plugin’s failure to sanitize and validate URL schemes when storing link URLs for 3D model blocks. The vulnerability exists in the `sanitizePress3dData` function within `/press3d/src/Admin/Admin.php`. Before the patch, the plugin stored user-supplied `linkUrl` values directly without validation, allowing dangerous protocols like `javascript:` to persist in the database. The `register_post_meta` function at line 134-142 of the vulnerable version lacked a proper sanitization callback for the `_press3d_data` meta field.

Attackers exploit this vulnerability by creating or editing a 3D model block within the WordPress editor. They inject a malicious `javascript:` URL payload into the link URL parameter through the block’s settings interface. The payload could be something like `javascript:alert(document.cookie)` or more sophisticated scripts for session hijacking. When any user views the page containing the compromised 3D model block and clicks on the model, the malicious JavaScript executes in the victim’s browser context, potentially leading to session theft or further attacks.

The patch introduces a comprehensive sanitization callback in the `sanitizePress3dData` method at lines 162-202 of `/press3d/src/Admin/Admin.php`. This function now processes the JSON-encoded `_press3d_data` meta value, extracts all `linkUrl` fields from the versioned state array, and applies WordPress’s `esc_url_raw()` function with allowed protocols restricted to `[‘http’, ‘https’, ‘mailto’, ‘tel’]`. The patch also updates the `register_post_meta` call at line 158 to include this sanitization callback. Invalid URLs, including those with dangerous protocols, are either sanitized to empty strings or removed entirely, with associated `linkOpenInNewTab` settings cleared.

Successful exploitation allows authenticated attackers with Author privileges or higher to inject arbitrary JavaScript that executes in the context of any user who clicks the 3D model. This stored XSS can lead to session hijacking, account takeover, content modification, or redirection to malicious sites. Since the payload persists in the database, it affects all future visitors to the compromised page until removed. The attack requires Author-level access, limiting its impact compared to unauthenticated vulnerabilities, but still poses significant risk in multi-user WordPress environments.