CVE-2026-6663 - Vulnerability Details

- GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent

Description

The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.

Published: 2026-05-12

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The GWD Connect plugin for WordPress includes two PHP scripts (gwd-backup.php and gwd-logs.php) that expose an update_agent endpoint. The plugin fails to verify authentication when no API key has been configured – the default state for unregistered installations – allowing attackers to send specially crafted requests that write arbitrary PHP code to the agent file, enabling limited code execution on the server.

Affected Systems

WordPress sites running the GWD Connect plugin from GWD Conex, all release versions up to and including 2.9, with the default configuration of no API key and no external authentication.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.8, indicating moderate impact. EPSS data is not available, and the flaw is not listed in CISA’s KEV catalog. Attackers can exploit it by issuing an unauthenticated HTTP request to the update_agent endpoint on an unregistered site that has not configured an API key. The exploitation grants the ability to inject PHP code, but is limited to the plugin’s agent file and therefore may not provide full system compromise without additional vulnerabilities or misconfigurations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thewebsitesupply

GWD Conex

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.9

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the GWD Connect plugin to the latest available version that protects the update_agent endpoint from unauthenticated requests.
If an upgrade is not possible, immediately configure an API key in the plugin’s settings; once a key is set the endpoints will enforce authentication and refuse unauthenticated update_agent actions.
Limit exposure of the gwd-backup.php and gwd-logs.php scripts by restricting access in the web server configuration (e.g., using .htaccess rules or firewall rules) so that only trusted IP addresses or authenticated users can reach them.

Generated by OpenCVE AI on May 12, 2026 at 10:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00072.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-backup.php?marks=1991,2002,2548#L1991
https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-logs.php?marks=398,403,851#L398
https://www.wordfence.com/threat-intel/vulnerabilities/id/4d2d435f-d6ce-41bd-8a45-e252fb4ba419?source=cve

History

Tue, 12 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
Description		The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.
Title		GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-backup.php?marks=1991,2002,2548#L1991 https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-logs.php?marks=398,403,851#L398 https://www.wordfence.com/threat-intel/vulnerabilities/id/4d2d435f-d6ce-41bd-8a45-e252fb4ba419?source=cve
Metrics		cvssV3_1 `{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-12T07:48:20.471Z

Updated: 2026-05-12T12:44:31.474Z

Reserved: 2026-04-20T12:09:50.796Z

Link: CVE-2026-6663

Vulnrichment

Updated: 2026-05-12T12:44:27.175Z

NVD

Status : Deferred

Published: 2026-05-12T09:16:55.797

Modified: 2026-05-12T14:03:52.757

Link: CVE-2026-6663

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T10:45:14Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object