Does Threepress have any unpatched vulnerabilities?

No. All known vulnerabilities in Threepress have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Threepress compatible with WordPress 6.8.5?

According to WordPress.org data, Threepress 1.8.5 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Threepress compatible with PHP 5.6+?

Threepress requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Threepress updated?

Threepress was last updated on Oct 13, 2025. Frequent updates are generally a positive security signal.

What is Threepress's security score?

Threepress has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Threepress Security & Risk Analysis

wordpress.org/plugins/threepress

3d model gallery uploader and viewer powered by three.js

200 active installs v1.8.5 PHP 5.6+ WP 4.0+ Updated Oct 13, 2025

3d-modelchatgltfmultiplayerthreejs

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 17, 2025

Plugin page Download

Safety Verdict

Is Threepress Safe to Use in 2026?

Generally Safe

Score 99/100

Threepress has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 17, 2025Updated 5mo ago

Risk Assessment

The "threepress" plugin v1.8.5 exhibits a mixed security posture. While it demonstrates good practices in its SQL query handling, with 100% prepared statements, and generally good output escaping (90%), significant concerns arise from its attack surface. The plugin exposes 11 entry points, of which a striking 9 are completely unprotected by authentication checks. This is a major weakness that could allow unauthorized users to interact with sensitive plugin functionalities.

The taint analysis further amplifies these concerns, revealing 3 high-severity flows with unsanitized paths. This strongly suggests a potential for directory traversal or similar path manipulation vulnerabilities, especially given the unprotected AJAX handlers. While the plugin has a history of vulnerabilities, including a medium severity Cross-Site Scripting (XSS) issue discovered recently, the fact that there are currently no unpatched CVEs is a positive sign regarding the vendor's responsiveness to known issues. However, the presence of past XSS vulnerabilities, combined with unsanitized paths and a large number of unprotected entry points, indicates a need for heightened vigilance regarding input validation and sanitization.

In conclusion, "threepress" v1.8.5 has notable strengths in its database interaction and output escaping. However, the substantial unprotected attack surface and high-severity taint flows represent significant security risks. The historical pattern of XSS vulnerabilities, while currently patched, warrants careful monitoring and robust input validation to prevent future similar issues. The plugin would benefit greatly from securing its AJAX endpoints and thoroughly sanitizing all user-supplied path information.

Key Concerns

Large attack surface without auth checks
High severity unsanitized paths
Missing nonce checks on AJAX handlers
Low percentage of properly escaped outputs
History of medium severity CVEs

Vulnerabilities

Threepress Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-13395medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Threepress <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 17, 2025 Patched in 1.7.2 (1d)

Code Analysis

Analyzed Mar 16, 2026

Threepress Code Analysis

Dangerous Functions

Raw SQL Queries

28 prepared

Unescaped Output

9 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared28 total queries

Output Escaping

90% escaped10 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths

<threepress> (threepress.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

Threepress Attack Surface

Entry Points11

Unprotected9

AJAX Handlers 9

authwp_ajax_fill_librarythreepress.php:806

authwp_ajax_fill_gallerythreepress.php:807

authwp_ajax_threepress_save_shortcodethreepress.php:808

authwp_ajax_threepress_delete_gallerythreepress.php:810

authwp_ajax_threepress_get_modelthreepress.php:811

authwp_ajax_threepress_get_imagethreepress.php:812

authwp_ajax_threepress_settingsthreepress.php:813

authwp_ajax_threepress_fill_posts_and_pagesthreepress.php:814

authwp_ajax_threepress_set_settingthreepress.php:815

Shortcodes 2

[threepress] threepress.php:859

[threepress_world] threepress.php:860

WordPress Hooks 10

actionadmin_enqueue_scriptsthreepress.php:821

actionadmin_enqueue_scriptsthreepress.php:822

actionadmin_enqueue_scriptsthreepress.php:828

actioninitthreepress.php:842

actionadmin_menuthreepress.php:843

actionthreepress_admin_menuthreepress.php:844

actiontemplate_redirectthreepress.php:850

filterscript_loader_tagthreepress.php:854

filterupload_mimesthreepress.php:856

filterwp_check_filetype_and_extthreepress.php:857

Maintenance & Trust

Threepress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedOct 13, 2025

PHP min version5.6

Downloads9K

Community Trust

Rating96/100

Number of ratings5

Active installs200

Alternatives

Threepress Alternatives

3D Viewer – Display Interactive 3D Models

3d-viewer

100

3D Viewer lets you embed interactive 3D models and 360 product views on WordPress sites with support for GLB, GLTF, OBJ, STL, FBX, DAE, and BIM.

10K No CVEs

Easy 3d Model Viewer

easy-3d-model-viewer

100

Interactive 3D model viewer with hotspots/markers, tooltips, animations, environment maps and realistic lighting.

80 No CVEs

3D Viewer – glb/gltf Viewer by WPSE

advanced-3d-model-viewer

100

Embed and interact with 3D models in your WordPress content using a block, shortcode, or custom post type.

40 No CVEs

3D Scene Viewer

3d-scene-viewer

100

Display a 3D model or an entire scene made of multiple 3D models onto your site.

20 No CVEs

3D Webviewer by Arty

3d-webviewer-by-arty

3D model web viewer by Arty.

10 No CVEs

Developer Profile

Threepress Developer Profile

kerryoco

1 plugin · 200 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Threepress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/threepress/static/css/global.css/wp-content/plugins/threepress/static/css/modal.css/wp-content/plugins/threepress/static/js/global.js/wp-content/plugins/threepress/static/js/init_base.js/wp-content/plugins/threepress/static/js/init_admin.js/wp-content/plugins/threepress/static/css/admin.css

Script Paths

/wp-content/plugins/threepress/static/js/global.js/wp-content/plugins/threepress/static/js/init_base.js/wp-content/plugins/threepress/static/js/init_admin.js

Version Parameters

threepress-global-css?v=threepress-modal-css?v=threepress-global-js?v=threepress-base-js?v=threepress-admin-js?v=threepress-admin-css?v=

HTML / DOM Fingerprints

CSS Classes

threepress-gallery

HTML Comments

Threepress is free software: you can redistribute it and/or modifyThreepress is distributed in the hope that it will be useful,You should have received a copy of the GNU General Public License

Data Attributes

threepress-gallery-

JS Globals

THREEPRESS

Shortcode Output

<div id="threepress-gallery-class="threepress-gallery"

FAQ