CVE-2026-6663

MEDIUM

GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent

Title source: cna

Description

The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.

References (3)

Core 3

Core References

https://www.wordfence.com/threat-intel/vulnerabilities/id/4d2d435f-d6ce-41bd-8a45-e252fb4ba419?source=cve

https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-backup.php?marks=1991,2002,2548#L1991

https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-logs.php?marks=398,403,851#L398

Scores

CVSS v3 4.8

EPSS 0.0027

EPSS Percentile 18.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

thewebsitesupply/GWD Conex < 2.9

Published May 12, 2026

Tracked Since May 12, 2026