WordPress plugin Gravity SMTP exploited for sensitive information disclosure

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, which is installed on over 100,000 websites. The flaw, tracked as CVE-2026-4020, allows attackers to gather sensitive data from affected sites, based on information published by Bleeping Computer.

The vulnerability resides in an exposed REST API endpoint within the Gravity SMTP plugin. Attackers can send unauthenticated GET requests to retrieve a detailed "System Report." This report may include API keys, secrets, OAuth tokens, credentials for email services like Amazon SES and Google, WordPress configuration details, server information, and database configurations. Although rated medium severity, the unauthenticated nature of the exploit and the potential to steal email service credentials make it a significant risk.

Wordfence has blocked over 17 million exploit attempts, with a notable spike on June 7. The exposed information can be used to impersonate the victim to third parties and plan further attacks. A separate advisory warns of a critical file deletion vulnerability (CVE-2026-8713) in the Avada Builder plugin, though no exploitation has been observed yet.

Source: Bleeping Computer