cleantalk
Vulnerabilities and Security Researches

Graphic Web Design, Inc. Manager, CVE-2026-6663

CVE, Research URL

CVE-2026-6663

Home page URL

Security reports for Graphic Web Design, Inc. Manager

Application

Graphic Web Design, Inc. Manager

Published on
May 12, 2026
Research Description
The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.
Affected versions
max 2.9.
Status
vulnerable
Previous vulnerability researches
Advanced Product Search for WooCommerce – Motive Commerce Search (CVE-2026-42664) , May 13, 2026
New vulnerability
Pricing Tables for WP (CVE-2026-6808) , May 14, 2026
Next Date (CVE-2026-4920) , May 14, 2026
Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings (CVE-2026-4301) , May 14, 2026
Shortcodely (CVE-2026-6913) , May 14, 2026
Graphic Web Design, Inc. Manager (CVE-2026-6663) , May 14, 2026