What the vulnerability does
01Description
The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.
Explanation of Vulnerability in Simple Terms
02Summary
GWD Conex versions 2.9 and earlier lack proper authorization checks, allowing unauthenticated attackers to read and modify limited data via network requests. The vulnerability requires specific conditions to exploit but does not affect system availability. Update to a version newer than 2.9 to remediate.
What an attacker can do
03Attacker Capabilities
Read and modify some data without authentication.
Potential impact on your site
04Site Impact
Unauthorized users may access or alter sensitive information in GWD Conex.
Conditions required to exploit
05Prerequisites
Network access; specific conditions must be met (high attack complexity).
Key dates
06Disclosure timeline
May 12, 2026
CVE published
May 12, 2026
Record updated
