Gravity SMTP WordPress Plugin Exploited: Sensitive Data Exposure Risk

Post Views: 12

Attackers have been leveraging a critical unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is deployed on more than 100,000 websites.

Vulnerability Overview

The flaw, designated as CVE-2026-4020, enables threat actors to extract confidential data from compromised systems. The vulnerability exists within an accessible REST API endpoint in the plugin, allowing unauthorized users to retrieve a comprehensive “System Report” via unauthenticated GET requests. This report may contain API keys, cryptographic secrets, OAuth tokens, credentials for cloud services such as Amazon SES and Google, WordPress configuration details, server metadata, and database settings.

Impact and Exploitation

Despite being classified as medium severity, the lack of authentication requirements and the potential for credential theft pose significant risks.

Security firm Wordfence has detected over 17 million attempts to exploit the flaw, with a sharp increase observed on June 7. The exposed data could facilitate impersonation of victims by third parties and enable follow-up attacks.

Additional Vulnerabilities

A separate advisory highlights a critical file deletion vulnerability, CVE-2026-8713, in the Avada Builder plugin, though no active exploitation has been reported to date. Additional vulnerabilities impacting enterprise environments include a flaw in the Joomla Content Editor extension, which was recently added to CISA’s Known Exploited Vulnerabilities catalog with a three-day remediation deadline. Another issue in the SimpleHelp plugin allows unauthenticated users to create administrative accounts due to insufficient validation of identity assertions from an OIDC identity provider.

AMD’s Controversy

Meanwhile, AMD has faced criticism over allegations of denying a bug bounty and altering disclosure policies. A researcher identified as Paul discovered a remote code execution vulnerability in AMD’s auto-updater through a man-in-the-middle attack.

Conclusion

Technical details surrounding the Gravity SMTP exploit emphasize the importance of securing REST API endpoints and restricting access to sensitive system data. Organizations using the affected plugin are advised to apply patches immediately and monitor for signs of unauthorized access. The incident underscores the risks associated with third-party plugins and the need for continuous vulnerability assessments.