Hackers exploit information disclosure bug in Gravity SMTP WordPress plugin

Risk actors are exploiting an unauthenticated data disclosure vulnerability within the WordPress plugin Gravity SMTP that’s lively on 100,000 websites.

This flaw is tracked as CVE-2026-4020 and is rated as medium severity. This challenge affected all variations of the plugin previous to 2.1.4 and was resolved in model 2.1.5, launched on March seventeenth.

WordPress safety firm Defiant warns that hackers are actively exploiting this vulnerability. The corporate’s Wordfence firewall blocked greater than 17 million makes an attempt to its protected prospects.

This challenge is because of the REST API endpoint uncovered by Gravity SMTP. This endpoint’s ‘permission_callback’ at all times returns ‘true’, permitting unauthenticated GET requests to obtain the great JSON ‘system report’ generated by the plugin. Printed data could embrace:

• API key, secret, and OAuth token for configured e-mail integration
• Credentials for third-party e-mail providers similar to Amazon SES, Google, Mailjet, Resend, Zoho, and so forth.
• WordPress configuration particulars similar to put in plugins, themes, and software program variations
• Server and PHP atmosphere data
• Database configuration particulars similar to server model and desk names

Though CVE-2026-4020 is of medium severity, it may be exploited with out authentication and the uncovered data can be utilized to steal e-mail service credentials.

This permits the attacker to impersonate the sufferer to 3rd events and acquire detailed details about the location’s software program stack and any potential vulnerabilities current.

“Exposing reside third-party API credentials means attackers can exploit e-mail providers linked to your website, whereas detailed system reporting significantly reduces the trouble required to plan additional assaults in opposition to your website,” Wordfence researchers warn.

Wordfence mentioned there was a spike in abuse exercise on June 7, with 4 million requests blocked that day. Comparable exercise was recorded for a number of days thereafter.

The safety firm has listed the best quantity supply IP addresses for exploit requests that web site directors ought to add to their blocklist.

The primary indicators of compromise are requests to “/wp-json/gravitysmtp/v1/checks/mock-data” discovered within the net server’s entry logs, particularly requests containing the “?web page=gravitysmtp-settings” question parameter.

Yesterday, the corporate issued one other advisory concerning an unauthorized and arbitrary file deletion important flaw within the Avada Builder WordPress plugin utilized by 1 million websites.

The vulnerability, recognized as CVE-2026-8713, permits an attacker to delete arbitrary information on the server by way of a path traversal flaw when a broadcast Avada type is configured to save lots of submissions to a database.

Delete necessary information wp-config.phpwhich might revert your website to its preliminary setup state, probably resulting in whole website hijacking and distant code execution.

This challenge has been mounted in model 3.15.4, which is the beneficial improve for web site directors. Though lively exploitation of CVE-2026-8713 has not but been noticed, it is a robust candidate and we advocate fast motion.