Active exploits target Gravity SMTP (CVE-2026-4020); Avada Builder critical bug patched (CVE-2026-8713)

Two WordPress plugin issues deserve immediate attention. Wordfence reports active exploitation of a sensitive information exposure bug in the Gravity SMTP plugin (CVE-2026-4020), while a separate, critical arbitrary file deletion flaw in Avada Builder (CVE-2026-8713) has been patched. BleepingComputer also highlights the Gravity SMTP activity and notes the Avada Builder fix.

Why it matters

Gravity SMTP is installed on an estimated 100,000 sites. The issue lets unauthenticated visitors pull a detailed “System Report” via a REST API endpoint, including API keys and tokens for connected email services. That data can enable abuse of a site’s email integrations and provides reconnaissance about the site’s stack. Meanwhile, the Avada Builder bug—rated critical—could allow unauthenticated attackers to delete arbitrary files in certain configurations, potentially paving the way for full site takeover if not patched.

What’s confirmed

Wordfence describes CVE-2026-4020 as an unauthenticated information disclosure in Gravity SMTP up to version 2.1.4. The problem stems from an exposed REST API endpoint whose permission callback always returns true. When a specific query parameter is present, the endpoint returns a large JSON “System Report” that may include:

• API keys, secrets, and OAuth tokens for email integrations (e.g., Amazon SES, Google, Mailjet, Resend, Zoho)
• WordPress, server, PHP, and database details
• Active plugins, theme, and configuration data

Although rated medium (CVSS 5.3), this flaw is being actively exploited. Wordfence says its firewall has blocked over 17 million attempts, with a spike on June 7, 2026. A practical indicator of exploitation attempts is access log requests to:

• /wp-json/gravitysmtp/v1/tests/mock-data (often with the query parameter ?page=gravitysmtp-settings)

The vendor released a fix in Gravity SMTP 2.1.5 (March 17, 2026). Wordfence later added a firewall rule after observing attacks.

Separately, Wordfence details CVE-2026-8713 in Avada Builder (<= 3.15.3): an unauthenticated arbitrary file deletion vulnerability due to insufficient path validation in a cleanup function. Exploitation requires a published Avada form configured to save entries to the database. Deleting critical files like wp-config.php could reset the site and enable takeover. The vulnerability is patched in Avada Builder 3.15.4. At the time of the referenced reports, no active exploitation had been observed.

What to do now

• Update Gravity SMTP to version 2.1.5 or later. If you administer multiple sites, prioritize those running versions up to 2.1.4.
• Review recent web server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, particularly those including ?page=gravitysmtp-settings.
• Consult the Wordfence advisory for the list of top offending IPs observed targeting Gravity SMTP and consider temporary blocks where appropriate.
• Update Avada Builder to version 3.15.4 or later, even if your site’s forms are not configured to save entries. The patch removes the risk in supported configurations.

Important caveats

• For Gravity SMTP, information exposure via a GET request may not leave obvious traces beyond access logs. Lack of visible changes on the site does not mean it wasn’t probed.
• For Avada Builder, exploitation requires a specific form configuration (published and saving entries). Still, the safest path is to update without delay.
• Severity labels can be misleading on their own. In Gravity SMTP’s case, a “medium” rating still exposed real-world risk because credentials were included in the leaked data and attacks were observed at scale.

Sources

• Wordfence: Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin (CVE-2026-4020) — https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/
• Wordfence: Critical Unauthenticated Arbitrary File Deletion Vulnerability Patched in Avada Builder WordPress Plugin (CVE-2026-8713) — https://www.wordfence.com/blog/2026/06/critical-unauthenticated-arbitrary-file-deletion-vulnerability-patched-in-avada-builder-wordpress-plugin/
• BleepingComputer: Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin — https://www.bleepingcomputer.com/news/security/hackers-exploit-info-disclosure-bug-in-gravity-smtp-wordpress-plugin/

Staying current with plugin updates and watching server logs closely remain two of the most effective ways to stay ahead of opportunistic scans and mass exploitation waves. Patch promptly, verify, and keep an eye on your telemetry.

Alex Mira

Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.