The Gravity SMTP WordPress plugin, installed on approximately 100,000 websites, has been found vulnerable due to a security flaw recently patched. This vulnerability, identified as CVE-2026-4020 and rated with a CVSS score of 5.3, allows unauthorized users to extract sensitive information, including API keys, configuration settings, and OAuth tokens used in the plugin’s email integrations.
Understanding the Vulnerability
The flaw stems from a REST API endpoint located at /wp-json/gravitysmtp/v1/tests/mock-data, which has a permission_callback function that indiscriminately grants access to anyone, regardless of authentication status. When the query parameter ?page=gravitysmtp-settings is added, the plugin’s register_connector_data() method provides internal connector data. This results in the endpoint delivering roughly 365 KB of JSON data, revealing a comprehensive System Report.
This security lapse permits attackers to obtain a wide array of information, including the PHP version, loaded extensions, web server version, and WordPress configuration details. Additionally, it exposes all active plugins, their versions, and the database server type and version. Most critically, API keys and tokens for services like Amazon SES, Google, Mailjet, Resend, and Zoho can be compromised.
Implications of the Data Exposure
Exposing such sensitive information could enable attackers to exploit email services connected to the site and gather extensive data on the site’s software infrastructure. This detailed information simplifies the process of planning further attacks on the affected sites. As Wordfence notes, the severity of the impact relies on the type of data exposed, particularly emphasizing the risk posed by live third-party API credentials.
Attackers have been quick to exploit this vulnerability, issuing unauthenticated HTTP GET requests to the vulnerable API endpoint, appending the ?page=gravitysmtp-settings query parameter. This action allows them to extract significant information about the site without needing any authentication.
Response and Mitigation
A fix for this vulnerability is available in version 2.1.5 of the Gravity SMTP plugin. Despite the patch, malicious actors have been actively targeting this flaw, as evidenced by over 17 million blocked exploit attempts by Wordfence. The attacks began in early May 2026, escalating dramatically around June 6, 2026, with a peak of more than 4 million requests in a single day. The attacks have originated from several IP addresses, including 45.148.10.95, 193.32.162.60, and others.
Site administrators using a susceptible version of the Gravity SMTP plugin, especially those with third-party email integrations, should assume their credentials may be compromised. It is crucial to update the plugin immediately and rotate any exposed credentials. Additionally, reviewing server logs for any suspicious activity from the listed IP addresses is advised to ensure site security.
Addressing this vulnerability promptly is essential to safeguarding your site from potential security breaches and protecting sensitive information from unauthorized access.
