WordPress site administrators are urged to update two popular plugins immediately, as security researchers warn of active exploitation and critical vulnerabilities. The plugins, **Gravity SMTP** and **Avada Builder**, collectively power over a million websites. ### Gravity SMTP Exposes Sensitive Data An unauthenticated information disclosure vulnerability, tracked as **CVE-2026-4020**, is being actively exploited in the **Gravity SMTP** plugin, which is installed on 100,000 WordPress sites. Despite its 'medium' severity rating, the flaw allows unauthenticated attackers to retrieve a comprehensive JSON 'System Report' by exploiting an exposed REST API endpoint. This report can contain highly sensitive data, including: * API keys, secrets, and OAuth tokens for configured email integrations * Credentials for third-party email services (e.g., **Amazon SES**, **Google**, **Mailjet**, **Resend**, **Zoho**) * Detailed WordPress configuration, including installed plugins, themes, and software versions * Server and PHP environment information * Database configuration details, such as server version and table names **Defiant**, the company behind the **Wordfence** firewall, reported blocking over 17 million exploitation attempts against its protected customers. Exploitation activity saw a significant spike on June 7, with 4 million requests blocked in a single day. The vulnerability affects all versions of **Gravity SMTP** up to 2.1.4 and was patched in version 2.1.5, released on March 17. The exposure of live third-party API credentials is particularly concerning, as it allows attackers to impersonate the victim's site through connected email services and gather intelligence for further targeted attacks.  Site administrators should look for requests to `/wp-json/gravitysmtp/v1/tests/mock-data`, especially those including the `?page=gravitysmtp-settings` query parameter, in their web server access logs as an indicator of compromise. ### Critical File Deletion in Avada Builder In a separate advisory, **Wordfence** also highlighted a critical, unauthenticated arbitrary file-deletion vulnerability in the **Avada Builder** WordPress plugin, which is active on over one million sites. Identified as **CVE-2026-8713**, this flaw allows attackers to delete arbitrary files on the server using a path traversal technique. This is possible if a published **Avada** form is configured to save submissions to the database. Deleting critical files, such as `wp-config.php`, can reset the site to its initial setup state, potentially leading to a full site takeover and remote code execution. While no active exploitation of **CVE-2026-8713** has been observed yet, its severity warrants immediate attention. The issue was fixed in version 3.15.4, and administrators are strongly advised to upgrade promptly.