Threat actors are actively exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin, which affects more than 100,000 sites and can expose sensitive API keys, OAuth tokens, and email service credentials. Wordfence has already blocked over 17 million attempts, while a separate critical flaw, CVE-2026-8713 in Avada Builder, can let attackers delete arbitrary files and potentially take over sites. #GravitySMTP #CVE20264020 #Wordfence #AvadaBuilder #CVE20268713
Keypoints
- Gravity SMTP is affected by CVE-2026-4020.
- The flaw allows unauthenticated access to a System Report via an exposed REST API endpoint.
- Exposed data can include API keys, secrets, OAuth tokens, and email service credentials.
- Wordfence has blocked more than 17 million exploitation attempts.
- Avada Builder also has CVE-2026-8713, a critical arbitrary file-deletion vulnerability.