Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

Threat actors are actively exploiting an unauthenticated information-disclosure flaw (CVE-2026-4020) in the Gravity SMTP WordPress plugin (≤2.1.4), used on roughly 100,000 sites, to retrieve JSON “System Reports” that may contain API keys, third-party email credentials, WordPress and server configuration; Wordfence reported millions of blocked requests and identifies requests to /wp-json/gravitysmtp/v1/tests/mock-data (often with ?page=gravitysmtp-settings) as a key IoC. The report also warns of a separate critical Avada Builder arbitrary file-deletion vulnerability (CVE-2026-8713) fixed in version 3.15.4 that could enable full site takeover if exploited.