Hackers exploit info disclosure computer virus in Gravity SMTP WordPress plugin
Data breach
Menace actors are exploiting an unauthenticated data disclosure vulnerability within the WordPress plugin Gravity SMTP, active on 100,000 web sites.
The flaw is tracked as CVE-2026-4020 and obtained a medium severity rating. It impacts all versions of the plugin from 2.1.4 and older and has been addressed in model 2.1.5, launched on March 17.
WordPress security company Defiant is warning that hackers are actively exploiting the vulnerability. The corporate’s Wordfence firewall has blocked more than 17 million attempts in opposition to safe customers.
The difficulty stems from an exposed REST API endpoint in Gravity SMTP, whose ‘permission_callback’ constantly returns ‘perfect,’ allowing unauthenticated GET requests to gain a comprehensive JSON “Plan Describe” generated by the plugin. The exposed data might well perchance possess:
API keys, secrets and ways, and OAuth tokens for configured email integrations
Credentials for third-party email products and services, along side Amazon SES, Google, Mailjet, Resend, and Zoho
WordPress configuration particulars, along side effect in plugins, issues, and energy versions
Server and PHP setting data
Database configuration particulars, along side server model and desk names
Regardless of its medium-severity rating, the CVE-2026-4020 vulnerability will more than seemingly be exploited without authentication, and the exposed data will more than seemingly be old to steal email service credentials.
This permits an attacker to impersonate the victim to third events and likewise to attain detailed data in regards to the effect’s tool stack and the doable vulnerabilities point to.
“The publicity of stay third-party API credentials methodology an attacker might well perchance abuse the effect’s connected email products and services, whereas the detailed procedure listing significantly lowers the hassle required to devise further assaults in opposition to the effect,” Wordfence researchers warn.
Wordfence says exploitation divulge spiked on June 7, with 4 million requests being blocked that day. The same divulge became once recorded for quite lots of days afterward.
Exploitation quantity Source: Wordfence
The protection firm listed basically the most prolific supply IP addresses for exploit requests, which web sites directors must silent add to their blocklists.
A key indicator of compromise is requests to ‘/wp-json/gravitysmtp/v1/assessments/mock-data’ point to in web server web entry to logs, in particular these along side the ‘?online page=gravitysmtp-settings’ question parameter.
The day previous to this, the corporate issued a separate advisory a pair of extreme, unauthenticated, arbitrary file-deletion flaw within the Avada Builder WordPress plugin, old on 1,000,000 web sites.
This vulnerability is identified as CVE-2026-8713 and permits attackers to delete arbitrary details on the server via a direction traversal flaw, offered a printed Avada originate is configured to set submissions to the database.
Deleting extreme details, equivalent to wp-config.php, can revert the effect to its preliminary setup squawk, doubtlessly ensuing in a beefy squawk takeover and distant code execution.
The difficulty became once fixed in model 3.15.4, which is the suggested give a boost to focal point on for web sites directors. No active exploitation of CVE-2026-8713 has been seen but, nonetheless right here’s a stunning candidate, so like a flash action is urged.
