A recently patched vulnerability in the Gravity SMTP WordPress plugin has been actively exploited by threat actors, potentially impacting around 100,000 websites. This flaw, identified as CVE-2026-4020, has a medium severity rating with a CVSS score of 5.3 and allows unauthorized attackers to extract sensitive data, including API keys and configuration secrets.
Details of the Vulnerability
The issue arises from a REST API endpoint located at /wp-json/gravitysmtp/v1/tests/mock-data, which has a permission_callback that always returns true. This misconfiguration enables any unauthenticated user to access it. By appending the ?page=gravitysmtp-settings query parameter, attackers can trigger the plugin’s register_connector_data() method, which returns approximately 365 KB of JSON data containing a comprehensive System Report.
Potential Impact
The exposed information includes critical details such as:
- PHP version
- Loaded extensions
- Web server version
- Document root path
- Database server type and version
- WordPress version
- Active plugins and their versions
- Active theme
- WordPress configuration details
- Database table names
- API keys and tokens for services like Amazon SES, Google, Mailjet, Resend, and Zoho
This data can be exploited by attackers to send emails on behalf of the affected sites or to gather further information that could facilitate additional attacks.
Exploitation Activity
Wordfence has reported that over 17 million attempts to exploit CVE-2026-4020 have been blocked, with the initial activity noted in early May 2026. Exploit attempts surged around June 6, 2026, with daily requests exceeding 4 million. The attacks have originated from multiple IP addresses, including 45.148.10.95 and 193.32.162.60, among others.
Recommended Actions
Site owners using vulnerable versions of the Gravity SMTP plugin are advised to assume their systems may have been compromised. They should rotate any exposed credentials and update to the latest version, 2.1.5, which includes a patch for this vulnerability. Additionally, reviewing server logs for suspicious requests from the identified IP addresses is recommended.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
