100,000 sites are running a WordPress plugin with an unauthenticated information-disclosure bug that attackers are actively exploiting, according to WordPress security firm Defiant.
CVE-2026-4020: Gravity SMTP's unauthenticated REST disclosure
The flaw, tracked as CVE-2026-4020 and rated medium severity, affects all versions of the Gravity SMTP plugin up to and including 2.1.4 and was addressed in version 2.1.5, released on March 17. The root cause is an exposed REST API endpoint whose permission_callback always returns true, allowing unauthenticated GET requests to retrieve a comprehensive JSON “System Report” generated by the plugin.
What the exposed “System Report” contains
Defiant’s Wordfence researchers say the JSON report can include highly sensitive operational and credential data. Specifically, the exposed information may contain API keys, secrets, and OAuth tokens for configured email integrations; credentials for third-party email services including Amazon SES, Google, Mailjet, Resend, and Zoho; WordPress configuration details such as installed plugins, themes, and software versions; server and PHP environment information; and database configuration details including server version and table names.
Those disclosures are not theoretical: Wordfence warns that the exposure of live third-party API credentials “means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site.” The firm also notes that the exposed information can be used to impersonate the victim to third parties and to map the site’s software stack for follow-on exploits.
Active exploitation and Wordfence telemetry
Defiant says its Wordfence firewall has blocked more than 17 million exploit attempts against protected customers targeting this vulnerability. Exploitation activity spiked on June 7, when Wordfence recorded and blocked about 4 million requests in a single day, and similar activity continued for several days afterward.
Wordfence has published the most prolific source IP addresses it saw making exploit requests and recommends administrators add those addresses to blocklists.
Indicators, blocklists, and the recommended upgrades
Administrators should search web server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially those that include the ?page=gravitysmtp-settings query parameter, which Wordfence calls a key indicator of compromise. For mitigation, the vulnerability is fixed in Gravity SMTP version 2.1.5; sites running earlier versions are vulnerable and should be upgraded to the patched release.
CVE-2026-8713: related advisory on Avada Builder and file deletion
Separately, Defiant issued an advisory about a critical, unauthenticated arbitrary file-deletion flaw in the Avada Builder WordPress plugin, tracked as CVE-2026-8713. Avada Builder is used on about one million sites, and the flaw allows attackers to delete arbitrary files on the server via a path traversal issue when a published Avada form is configured to save submissions to the database. Deleting critical files such as wp-config.php can revert a site to its initial setup state, which Defiant warns could lead to a full site takeover and remote code execution.
The Avada issue is fixed in Avada Builder version 3.15.4, which Defiant recommends as the upgrade target. While no active exploitation of CVE-2026-8713 has been observed yet, Defiant characterizes the flaw as “a good candidate” for exploitation and advises quick action.
What this means for website administrators, security teams, and third‑party email providers
- Website administrators: Immediately upgrade Gravity SMTP to version 2.1.5 if you run a vulnerable version, and upgrade Avada Builder to 3.15.4 where applicable. Check server logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data and review any listed source IPs from Wordfence for blocking.
- Security teams and incident responders: Treat Wordfence’s telemetry (more than 17 million blocked attempts and a June 7 spike of about 4 million requests) as a sign of broad scanning and active exploitation. Hunt for exposed API keys, OAuth tokens, and database identifiers, and validate whether any third-party email credentials have been disclosed and used.
- Third‑party email providers named in the report: Amazon SES, Google, Mailjet, Resend, and Zoho are listed as services whose credentials may appear in the exposed report. These providers should be aware that disclosed credentials could be abused to impersonate customers or send mail via compromised integrations.
The immediate fix is unambiguous: apply the vendor patches — Gravity SMTP 2.1.5 and Avada Builder 3.15.4 — and use the specific access-log indicator and Wordfence’s blocked-IP lists to hunt and block ongoing exploitation. The sharper takeaway is procedural: unauthenticated endpoints that reveal configuration dumps and live credentials create low-effort, high-impact paths for attackers, and telemetry from firms like Wordfence shows how quickly threat actors will probe and weaponize such disclosures.
