Security researchers have discovered that threat actors are taking advantage of a critical unauthenticated information disclosure vulnerability in the popular WordPress plugin Gravity SMTP, which is currently active on over 100,000 websites.
The vulnerability, identified as CVE-2026-4020 and rated as having a medium severity level, affects all versions of the plugin prior to 2.1.5. A patch has been released in version 2.1.5, which became available on March 17.
Defiant, a prominent WordPress security company, has issued a warning stating that hackers are actively exploiting this vulnerability. Their Wordfence firewall has already blocked over 17 million attempted attacks against their protected clients.
The vulnerability stems from an exposed REST API endpoint within Gravity SMTP, where the ‘permission_callback’ always returns ‘true’. This flaw allows unauthenticated GET requests to access a detailed JSON “System Report” generated by the plugin. The exposed information includes sensitive data such as API keys, email service credentials, WordPress configuration details, server information, and database configurations.
Despite its medium severity rating, the CVE-2026-4020 vulnerability poses a significant threat as it can be exploited without authentication, potentially leading to the theft of email service credentials.
This exploit enables attackers to impersonate victims to third parties and gain valuable insights into the targeted site’s software stack and potential vulnerabilities.
Wordfence researchers caution that the exposure of live third-party API credentials could allow attackers to misuse the site’s connected email services, while the detailed system report simplifies the planning of further attacks against the site.
According to Wordfence, there was a notable spike in exploitation activity on June 7, with 4 million attack attempts blocked on that day alone. Similar activities were recorded in the following days.
The security firm has identified the most active source IP addresses for exploit requests, which website administrators are advised to block.
An important indicator of compromise is the presence of requests to ‘/wp-json/gravitysmtp/v1/tests/mock-data’ in web server access logs, especially those including the ‘?page=gravitysmtp-settings’ query parameter.
Recently, the company issued a separate advisory regarding a critical unauthenticated arbitrary file deletion flaw in the Avada Builder WordPress plugin, which is utilized on a million websites.
This vulnerability, known as CVE-2026-8713, allows attackers to delete essential files on the server through a path traversal flaw. If a published Avada form is configured to save submissions to the database, this flaw can potentially lead to a full site takeover and remote code execution.
The issue has been resolved in version 3.15.4, and website administrators are strongly encouraged to upgrade to this version promptly. While no active exploitation of CVE-2026-8713 has been observed yet, vigilance is crucial due to the severe implications.
Security teams detect only 14% of successful attacks and alert on just 14%. Discover how breach and attack simulation tests can enhance your security measures.
Download the Picus whitepaper to learn how to strengthen your SIEM and EDR rules against evolving threats.
Get the whitepaper now.
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
