CVE-2026-1946
Received Received - Intake

Unauthorized Data Modification in GW AI Website Builder Plugin

Vulnerability report for CVE-2026-1946, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The GW AI Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the plugin from GravityWrite via the 'gwaiwebu_gravitywrite_disconnect' AJAX action.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gw_ai_website_builder plugin to 1.0.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The GW AI Website Builder plugin for WordPress has a vulnerability due to a missing capability check in the function gwaiwebu_gravitywrite_disconnect_handler(). This flaw allows authenticated users with Subscriber-level access or higher to disconnect the plugin from GravityWrite by exploiting the 'gwaiwebu_gravitywrite_disconnect' AJAX action.

Impact Analysis

This vulnerability can allow attackers with low-level authenticated access to modify plugin behavior by disconnecting it from GravityWrite. While it does not impact confidentiality or availability, it can lead to unauthorized modification of plugin data or functionality, potentially disrupting website features that rely on the plugin.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart