CVE-2026-6663
Remote Code Execution in GWD Connect WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The GWD Connect plugin for WordPress has a vulnerability in all versions up to and including 2.9 where certain standalone agent endpoints (gwd-backup.php and gwd-logs.php) do not verify authentication if the API key is not configured, which is the default setting.
This lack of authorization allows unauthenticated attackers, but only on unregistered installations and in certain environments, to execute arbitrary code on the server by using the update_agent action. This action writes attacker-supplied PHP code to the agent file, enabling limited code execution.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to execute arbitrary PHP code on the server hosting the vulnerable WordPress plugin.
Such code execution could lead to unauthorized changes, potential data compromise, or further exploitation of the server, although the impact is limited by the conditions that the installation must be unregistered and the environment must allow this behavior.