Hackers are actively exploiting a security flaw in the Gravity SMTP plugin for WordPress, affecting more than 100,000 websites.
Tracked as CVE-2026-4020, the vulnerability impacts Gravity SMTP versions 2.1.4 and earlier. The issue was fixed in version 2.1.5, which was released on March 17.
WordPress security firm Wordfence said it has blocked more than 17 million exploitation attempts targeting websites protected by its firewall.
The flaw is caused by an exposed REST API endpoint in Gravity SMTP. Because the endpoint’s permission check always returns true, attackers can send unauthenticated GET requests and access a detailed system report generated by the plugin.
The exposed report may contain API keys, secrets, and OAuth tokens used for email integrations. It can also reveal credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho, along with WordPress configuration details, installed plugins and themes, software versions, server information, PHP environment details, and database configuration data.
Although the vulnerability has been assigned a medium severity rating, researchers warn that the exposed information could allow attackers to steal email service credentials, impersonate victims, and gather intelligence for future attacks.
According to Wordfence, exploitation activity surged on June 7, when its firewall blocked around four million requests in a single day. Similar levels of attack activity continued in the following days.
Website administrators are advised to update Gravity SMTP to version 2.1.5 or later and review server access logs for requests to “/wp-json/gravitysmtp/v1/tests/mock-data,” especially those containing the “?page=gravitysmtp-settings” parameter.
Wordfence also issued a separate warning about a critical vulnerability in the Avada Builder WordPress plugin, which is installed on around one million websites.
Tracked as CVE-2026-8713, the flaw allows unauthenticated attackers to delete arbitrary files through a path traversal issue when a published Avada form is configured to save submissions to the database.
By deleting critical files such as “wp-config.php,” attackers could force a website back into its initial setup state, potentially leading to a complete site takeover and remote code execution.
The issue was fixed in Avada Builder version 3.15.4. While there is no evidence of active exploitation so far, administrators are urged to apply the update as soon as possible.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
