Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites.

The flaw is tracked as CVE-2026-4020 and received a medium severity rating. It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.

WordPress security company Defiant is warning that hackers are actively exploiting the vulnerability. The company's Wordfence firewall has blocked more than 17 million attempts against protected customers.

The issue stems from an exposed REST API endpoint in Gravity SMTP, whose ‘permission_callback’ always returns ‘true,’ allowing unauthenticated GET requests to receive a comprehensive JSON “System Report” generated by the plugin. The exposed information may contain:

• API keys, secrets, and OAuth tokens for configured email integrations
• Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho
• WordPress configuration details, including installed plugins, themes, and software versions
• Server and PHP environment information
• Database configuration details, including server version and table names

Despite its medium-severity rating, the CVE-2026-4020 vulnerability can be exploited without authentication, and the exposed information can be used to steal email service credentials.

This allows an attacker to impersonate the victim to third parties and also to gain detailed information about the site’s software stack and the potential vulnerabilities present.

“The exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site,” Wordfence researchers warn.

Wordfence says exploitation activity spiked on June 7, with 4 million requests being blocked that day. Similar activity was recorded for several days afterward.

The security firm listed the most prolific source IP addresses for exploit requests, which website administrators should add to their blocklists.

A key indicator of compromise is requests to ‘/wp-json/gravitysmtp/v1/tests/mock-data’ found in web server access logs, particularly those including the ‘?page=gravitysmtp-settings’ query parameter.

Yesterday, the company issued a separate advisory about a critical, unauthenticated, arbitrary file-deletion flaw in the Avada Builder WordPress plugin, used on one million sites.

This vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server through a path traversal flaw, provided a published Avada form is configured to save submissions to the database.

Deleting critical files, such as wp-config.php, can revert the site to its initial setup state, potentially leading to a full site takeover and remote code execution.

The issue was fixed in version 3.15.4, which is the recommended upgrade target for website administrators. No active exploitation of CVE-2026-8713 has been observed yet, but this is a good candidate, so quick action is advised.