Security researchers have identified a medium-severity flaw in the Gravity SMTP plugin for WordPress that is currently being exploited by cybercriminals to acquire comprehensive system information. The cybersecurity firm Defiant has raised the alarm about this vulnerability, which affects versions prior to 2.1.5 of the plugin.
Vulnerability Details and Impact
The Gravity SMTP plugin, designed to enhance email deliverability by integrating various SMTP providers and APIs, has a vulnerability tracked as CVE-2026-4020 with a CVSS score of 5.3. This flaw has been actively exploited since early May, affecting a REST API endpoint that inadvertently provides access to sensitive data without authentication.
When a specific parameter is added to a query, the affected API endpoint returns a JSON file containing a full system report. This report includes critical details such as PHP and WordPress versions, database information, active plugins and themes, and even API keys and tokens.
Exploitation and Attack Methods
The vulnerability exists because the REST API endpoint is part of a shared library that fails to enforce authentication or capability checks. As a result, attackers can easily retrieve credentials, enabling them to send emails on behalf of the site or gather reconnaissance data to exploit further vulnerabilities.
Defiant has monitored a significant increase in attack attempts targeting this flaw, with over 17 million attempts blocked by the firm. These attacks primarily involve unauthenticated GET requests aimed at extracting the System Report JSON object from the compromised endpoint.
Preventive Measures and Recommendations
WordPress site owners using the vulnerable versions of Gravity SMTP are strongly advised to upgrade to version 2.1.5 immediately. Additionally, it is crucial to review server logs for any suspicious requests to the vulnerable endpoint, as these attacks do not leave other noticeable traces.
For those using third-party email integrations such as Amazon SES or Google, it is recommended to rotate API keys, secrets, and OAuth tokens after updating the plugin to prevent unauthorized access. The proactive management of these credentials is essential to maintaining site security.
In summary, this security flaw in the Gravity SMTP plugin underscores the importance of regular plugin updates and vigilant monitoring of server activities. Site administrators must address this vulnerability promptly to safeguard their data and prevent potential breaches.
