CVE-2026-6663
GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent
CVSS Score
4.8
EPSS Score
0.0%
EPSS Percentile
0th
The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.
| CWE | CWE-862 |
| Vendor | thewebsitesupply |
| Product | gwd conex |
| Published | May 12, 2026 |
| Last Updated | May 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for thewebsitesupply gwd conex
Be the first to know when new medium vulnerabilities affecting thewebsitesupply gwd conex are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
thewebsitesupply / GWD Conex
0 โค 2.9
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4d2d435f-d6ce-41bd-8a45-e252fb4ba419?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-backup.php?marks=1991,2002,2548#L1991 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/graphic-web-design-inc/tags/2.9/gwd-logs.php?marks=398,403,851#L398
Credits
Athiwat Tiprasaharn