CVE-2026-6663— WordPress plugin GWD Connect 安全漏洞

GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent

The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

授权机制缺失

WordPress plugin GWD Connect 安全漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin GWD Connect 2.9及之前版本存在安全漏洞，该漏洞源于插件独立代理端点未验证身份验证，可能导致未经身份验证的攻击者在未注册安装上执行任意代码。

N/A

N/A