WP-Safety

GWD Connect Security & Risk Analysis

wordpress.org/plugins/graphic-web-design-inc

Automatic backups, log monitoring with size alerts, uptime tracking, auto-updates, and a bulk migration REST API for WordPress.

20 active installs v2.9 PHP 8.1+ WP 6.0+ Updated Mar 11, 2026
auto-updatebackuplog-monitormigrationuptime
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEMay 11, 2026
Plugin page Download
Safety Verdict

Is GWD Connect Safe to Use in 2026?

Mostly Safe

Score 78/100

GWD Connect is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: May 11, 2026Updated 2mo ago
Risk Assessment

The "graphic-web-design-inc" plugin version 2.9 presents a mixed security posture. While it boasts a clean vulnerability history with no known CVEs, indicating good maintenance or a lack of past exploitable issues, the static analysis reveals significant concerns. A notable number of AJAX handlers (4 out of 4) lack authentication checks, creating a substantial attack surface that could be exploited by unauthenticated users. Furthermore, the presence of dangerous functions like 'exec' and 'unserialize' is always a red flag, as these can lead to arbitrary code execution if improperly handled. The taint analysis shows flows with unsanitized paths, although they are not currently categorized as critical or high severity, this still warrants attention for potential future exploitation. The plugin shows good practices in using prepared statements for SQL queries (78%) and has a decent number of nonce checks and capability checks. However, the number of unprotected entry points is concerning and outweighs the positive aspects. Overall, while the plugin hasn't had publicly disclosed vulnerabilities, the code itself contains elements that pose a latent risk, particularly the unprotected AJAX endpoints and dangerous function usage.

Key Concerns

  • 4 AJAX handlers without auth checks
  • Use of dangerous functions (exec, unserialize)
  • Flows with unsanitized paths in taint analysis
  • 60% properly escaped output
Vulnerabilities
1 published

GWD Connect Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-6663medium · 4.8Missing Authorization

GWD Connect <= 2.9 - Unauthenticated Limited Code Execution via update_agent

May 11, 2026Unpatched
Version History

GWD Connect Release Timeline

v2.9Current1 CVE
CVE-2026-6663
v2.81 CVE
CVE-2026-6663
v2.61 CVE
CVE-2026-6663
v1.51 CVE
CVE-2026-6663
Code Analysis
Analyzed Mar 16, 2026

GWD Connect Code Analysis

Dangerous Functions
18
Raw SQL Queries
10
36 prepared
Unescaped Output
219
332 escaped
Nonce Checks
25
Capability Checks
11
File Operations
158
External Requests
12
Bundled Libraries
0

Dangerous Functions Found

execexec($cmd, $output, $returnCode);gwd-backup.php:496
execexec($cmd, $output, $returnCode);gwd-backup.php:891
execexec(escapeshellcmd($tar) . ' -tzf ' . escapeshellarg($archiveFile) . ' > /dev/null 2>&1', $output, gwd-backup.php:1368
execexec("command -v {$path} 2>/dev/null", $output, $returnCode);gwd-backup.php:1864
execexec("command -v {$path} 2>/dev/null", $output, $returnCode);gwd-backup.php:1884
execexec('php -l ' . escapeshellarg($tmpFile) . ' 2>&1', $output, $returnCode);gwd-backup.php:2587
execexec('php -l ' . escapeshellarg($tmpFile) . ' 2>&1', $output, $returnCode);gwd-backup.php:3101
unserialize$data = @unserialize($content);gwd-logs.php:1049
execexec("command -v {$path} 2>/dev/null", $output, $code);includes\class-gwd-backups.php:293
execexec("command -v {$path} 2>/dev/null", $output, $code);includes\class-gwd-backups.php:314
execexec($cmd, $output, $return_code);includes\class-gwd-backups.php:370
execexec($cmd_redirect, $output, $return_code);includes\class-gwd-backups.php:388
execexec($cmd, $output, $return_code);includes\class-gwd-backups.php:553
execexec($cmd, $output, $code);includes\class-gwd-database.php:196
exec@exec("tar tzf $escaped 2>/dev/null | wc -l", $output, $code);includes\class-gwd-filesystem.php:151
exec@exec("tar xzf $escaped_archive -C $escaped_dest 2>&1", $output, $code);includes\class-gwd-filesystem.php:266
execexec('command -v mysql 2>/dev/null', $output, $code);includes\class-gwd-helpers.php:223
unserialize$unserialized = @unserialize($value, array('allowed_classes' => false));includes\class-gwd-url-replacer.php:252

SQL Query Safety

78% prepared46 total queries

Output Escaping

60% escaped551 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths
handleAdminInterface (gwd-backup.php:3199)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

GWD Connect Attack Surface

Entry Points6
Unprotected4

AJAX Handlers 4

authwp_ajax_gwd_backup_progressgraphic-web-design-inc.php:962
authwp_ajax_gwd_trigger_backupgraphic-web-design-inc.php:972
authwp_ajax_gwd_cancel_backupgraphic-web-design-inc.php:988
authwp_ajax_gwd_uptime_check_nowgraphic-web-design-inc.php:1001

REST API Routes 2

GET/wp-json/gwd-backup/v1/agentgraphic-web-design-inc.php:396
GET/wp-json/gwd-logs/v1/agentgraphic-web-design-inc.php:553
WordPress Hooks 26
actionadmin_noticesgraphic-web-design-inc.php:27
actionadmin_initgraphic-web-design-inc.php:66
actioninitgraphic-web-design-inc.php:76
actionadmin_initgraphic-web-design-inc.php:81
filterautomatic_updater_disabledgraphic-web-design-inc.php:109
filterallow_minor_auto_core_updatesgraphic-web-design-inc.php:110
filterallow_major_auto_core_updatesgraphic-web-design-inc.php:111
filterauto_update_plugingraphic-web-design-inc.php:112
filterauto_update_themegraphic-web-design-inc.php:113
filterauto_update_translationgraphic-web-design-inc.php:114
actionupgrader_process_completegraphic-web-design-inc.php:121
actionadmin_initgraphic-web-design-inc.php:228
actionrest_api_initgraphic-web-design-inc.php:541
actionrest_api_initgraphic-web-design-inc.php:542
actionrest_api_initgraphic-web-design-inc.php:543
actiongwd_uptime_cron_checkgraphic-web-design-inc.php:930
actiongwd_backup_cron_rungraphic-web-design-inc.php:936
actiongwd_logs_size_checkgraphic-web-design-inc.php:942
filtercron_schedulesgraphic-web-design-inc.php:949
filterall_pluginsgraphic-web-design-inc.php:1020
filterplugin_action_linksgraphic-web-design-inc.php:1033
actionadmin_menugraphic-web-design-inc.php:1046
actionadmin_bar_menugraphic-web-design-inc.php:1123
actionwp_dashboard_setupgraphic-web-design-inc.php:1194
actionadmin_headgraphic-web-design-inc.php:1463
actionadmin_enqueue_scriptsgraphic-web-design-inc.php:1527

Scheduled Events 1

gwd_logs_size_check
Maintenance & Trust

GWD Connect Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 11, 2026
PHP min version8.1
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs20
Alternatives

GWD Connect Alternatives

Backup and Staging by WP Time Capsule

Backup and Staging by WP Time Capsule

wp-time-capsule

A
85

Backup and Staging by WP Time Capsule is an automated incremental backup plugin that backs up your website changes as per your schedule to Dropbox, Go &hellip;

20K 7 CVEs
UpdraftPlus: WP Backup & Migration Plugin

UpdraftPlus: WP Backup & Migration Plugin

updraftplus

A
90

Backup, restore or migrate your WordPress website to another host or domain. Schedule backups or run manually. Migrate in minutes.

3.0M 14 CVEs
Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More

duplicator

A
87

The best WordPress backup and migration plugin. Quickly and easily backup ,migrate, copy, move, or clone your site from one location to another.

1.0M 15 CVEs
WP STAGING – WordPress Backup, Restore & Migration

WP STAGING – WordPress Backup, Restore & Migration

wp-staging

A
95

Backup, restore, staging, and migration for WordPress. Create full-site backups and test updates safely. 100% Unit Tested.

100K 4 CVEs
BackupBliss – Backup & Migration with Free Cloud Storage

BackupBliss – Backup & Migration with Free Cloud Storage

backup-backup

B
76

Backup, migrate, and create staging sites with free cloud storage and support.

90K 14 CVEs
Developer Profile

GWD Connect Developer Profile

graphicwebdesigninc

1 plugin · 20 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect GWD Connect

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/graphic-web-design-inc/css/gwd-connect-admin-style.css/wp-content/plugins/graphic-web-design-inc/js/gwd-connect-admin-script.js/wp-content/plugins/graphic-web-design-inc/js/gwd-connect-main-script.js
Version Parameters
graphic-web-design-inc/css/gwd-connect-admin-style.css?ver=graphic-web-design-inc/js/gwd-connect-admin-script.js?ver=graphic-web-design-inc/js/gwd-connect-main-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
gwd-connect-admin-pagegwd-connect-status-tablegwd-connect-logs-table
HTML Comments
<!-- GWD Connect Plugin --><!-- GWD Connect Shortcode --><!-- End GWD Connect Shortcode -->
Data Attributes
data-gwd-connect-settingdata-gwd-connect-log-id
JS Globals
gwdConnectAdminGwdConnectLogsGwdConnectBackups
REST Endpoints
/wp-json/gwd-connect/v1/migrate/wp-json/gwd-connect/v1/settings/wp-json/gwd-connect/v1/logs
Shortcode Output
[gwd_connect_status][gwd_connect_logs][gwd_connect_backups]
FAQ

Frequently Asked Questions about GWD Connect