Overview
A new wave of attacks is targeting the Gravity SMTP WordPress plugin, which is active on over 100,000 sites. The flaw, tracked as CVE‑2026‑4020, allows unauthenticated information disclosure through an exposed REST API endpoint. Despite its medium‑severity rating, exploitation has surged — Wordfence reports blocking 17 million attempts against protected customers.
Vulnerability Details
| CVE ID | Affected Versions | Severity | Fixed Version |
|---|---|---|---|
| CVE‑2026‑4020 | ≤ 2.1.4 | Medium | 2.1.5 (March 17 release) |
The issue stems from a REST API endpoint whose permission_callback always returns true, allowing unauthenticated GET requests to retrieve a full System Report in JSON format.
Exposed data includes:
- API keys and OAuth tokens for email integrations.
- Third‑party service credentials (Amazon SES, Google, Mailjet, Resend, Zoho).
- WordPress configuration details — plugins, themes, versions.
- Server and PHP environment info.
- Database metadata — server version and table names.
Attackers can use this information to steal email service credentials, impersonate victims, and map the site’s software stack for further exploitation.
Active Exploitation
Wordfence observed a major spike on June 7, blocking 4 million requests in a single day. The attack pattern targets /wp-json/gravitysmtp/v1/tests/mock-data with the query parameter ?page=gravitysmtp-settings.
Administrators should add the most prolific source IPs to their blocklists and monitor access logs for these requests.
Related Threat — Avada Builder File Deletion Flaw
In a separate advisory, Wordfence warned of a critical unauthenticated arbitrary file‑deletion vulnerability in the Avada Builder plugin (CVE‑2026‑8713), used on over one million sites.
| CVE ID | Affected Versions | Severity | Fixed Version |
|---|---|---|---|
| CVE‑2026‑8713 | ≤ 3.15.3 | Critical | 3.15.4 |
This flaw allows attackers to delete arbitrary files via path traversal when Avada forms save submissions to the database. Deleting key files like wp-config.php can reset the site and enable remote code execution. No active exploitation has been confirmed yet, but quick patching is essential.
Defensive Recommendations
For WordPress administrators:
- Update Gravity SMTP to v2.1.5 → Patch the REST API flaw immediately.
- Upgrade Avada Builder to v3.15.4 → Prevent arbitrary file deletion.
- Monitor access logs → Look for requests to
/wp-json/gravitysmtp/v1/tests/mock-data. - Block malicious IPs → Use firewall rules to reduce attack volume.
- Rotate API keys and tokens → Invalidate potentially leaked credentials.
Expert in the Cloud Insight
The Gravity SMTP incident highlights how misconfigured REST API permissions can turn routine features into data leak vectors. Even medium‑severity bugs can become high‑impact when exploited at scale.
For security leaders, this is a reminder that WordPress plugin security is supply‑chain security. Every third‑party integration extends your attack surface. Regular patching, credential rotation, and behavioral monitoring must be standard practice — not reactive measures.
Leave a Reply