Cybercriminals are capitalizing on an unauthenticated information disclosure vulnerability within the Gravity SMTP plugin for WordPress, which is operational on approximately 100,000 websites.
This vulnerability is designated as CVE-2026-4020 and is categorized with a medium severity rating. It impacts all versions of the plugin prior to 2.1.5, with the corrective update released on March 17.
Defiant, a cybersecurity firm specializing in WordPress security, has issued warnings indicating that hackers are actively exploiting this vulnerability.
Their Wordfence firewall has successfully intercepted over 17 million unauthorized access attempts aimed at its protected customers.
The crux of the issue lies in a publicly accessible REST API endpoint in Gravity SMTP, where the ‘permission_callback’ perpetually returns ‘true.’
This flaw permits unauthenticated GET requests to retrieve a comprehensive JSON “System Report” produced by the plugin. The disclosed data may encompass:
- API keys, secrets, and OAuth tokens from integrated email services.
- Credentials for various third-party email providers such as Amazon SES, Google, Mailjet, Resend, and Zoho.
- WordPress configuration specifics, including installed plugins, themes, and software versions.
- Information pertaining to the server and the PHP environment.
- Details about database configurations, including server version and table nomenclature
Though classified as medium severity, the CVE-2026-4020 vulnerability can be exploited without authentication, allowing malicious actors to capture email service credentials.
This access enables attackers to impersonate users in dealings with third parties and acquire intricate insights into the software infrastructure of the site, potentially revealing vulnerabilities.
“The exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site,” cautioned Wordfence researchers.
Reports from Wordfence indicate a surge in exploitation activities on June 7, resulting in the obstruction of 4 million requests in just one day. This heightened activity continued for several subsequent days.
The security firm has also identified the most prevalent source IP addresses for these exploit requests, advising website administrators to add them to their blocklists.
An indicator of compromise includes requests made to ‘/wp-json/gravitysmtp/v1/tests/mock-data’ found in web server access logs, particularly those that contain the ‘?page=gravitysmtp-settings’ query parameter.
Recently, the company released a separate advisory regarding a critical arbitrary file-deletion vulnerability in the Avada Builder WordPress plugin, which is utilized across one million sites.
This vulnerability, identified as CVE-2026-8713, permits attackers to delete arbitrary files from the server through a path traversal flaw, assuming an Avada form intended for saving submissions to the database is being used.
Such deletion could eliminate crucial files like wp-config.php, potentially reverting the site back to its original state and leading to a complete site takeover alongside remote code execution.
The issue has been rectified in version 3.15.4, which is the recommended update for web administrators. While no active exploitation of CVE-2026-8713 has been detected, immediate action is advisable as it remains a significant threat.
Source link: Bleepingcomputer.com.
