CVE-2026-4020: Gravity SMTP Plugin Exposes API Keys

A vulnerability in the Gravity SMTP WordPress plugin is being mass-exploited in the wild, with Wordfence having blocked over 17 million exploit attempts since May 2026. The flaw, tracked as CVE-2026-4020, allows any unauthenticated visitor to call a poorly protected REST API endpoint and download a 365 KB JSON system report containing live API keys, OAuth tokens, and a detailed inventory of the WordPress site's software stack.

If you run the Gravity SMTP plugin — used on roughly 100,000 WordPress sites — and you have not already updated to version 2.1.5, treat your connected email credentials as compromised and rotate them immediately.

Affected Software and Versions

The vulnerability affects all versions of Gravity SMTP prior to 2.1.5. The fixed version is 2.1.5, released 2026-03-17. CVE-2026-4020 carries a CVSS score of 5.3 (Medium). The attack vector is network-based and requires no authentication. Active exploitation is confirmed — Wordfence has blocked 17M+ attempts as of June 2026.

What Is the Vulnerability?

Gravity SMTP registers a WordPress REST API endpoint at:

/wp-json/gravitysmtp/v1/tests/mock-data

The endpoint's permission_callback unconditionally returns true, meaning WordPress never checks whether the requesting user is logged in or has any privileges. Any visitor — authenticated or not — can call this endpoint.

When the query string ?page=gravitysmtp-settings is appended to the request, the plugin's register_connector_data() method is invoked, which populates the internal connector data and causes the endpoint to serialize and return approximately 365 kilobytes of JSON containing the site's full System Report.

This is a classic case of a missing or misconfigured authorization gate on a sensitive REST API endpoint.

What Data Gets Exposed?

The JSON payload returned by a single unauthenticated GET request contains:

• PHP version and loaded extensions
• Web server version and document root path
• Database server type and version
• WordPress version
• All active plugins and their versions
• Active theme name
• WordPress configuration details including database table names
• Live API keys and OAuth tokens for all email integrations configured in the plugin, including Amazon SES access keys, Google OAuth credentials, Mailjet API key/secret, Resend API key, and Zoho Mail credentials

How the Attack Works

The exploit is trivially simple — a single unauthenticated HTTP GET request:

GET /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings HTTP/1.1
Host: targetsite.example.com

No session cookie, no API key, no prior access is required. The server responds with the full system report in JSON. Attackers automating this can scan thousands of sites in minutes.

Once the attacker has the API keys, they can send phishing or spam email using the site's connected email provider — abusing the site's sending reputation and racking up costs on the site owner's account. The detailed software stack disclosure also helps attackers identify additional vulnerabilities in other installed components.

Active Exploitation Confirmed

Wordfence began observing exploit attempts in early May 2026. Volume spiked dramatically around June 6, 2026, peaking at over 4 million attempts in a single day. By mid-June, Wordfence had blocked over 17 million total requests.

The following IP addresses have been identified as primary sources of exploit traffic:

45.148.10.95      193.32.162.60     176.65.148.139
173.199.90.188    45.148.10.120     185.8.107.155
185.8.106.37      185.8.106.92      185.8.106.145
176.65.148.30

Remediation

Immediate Steps

1. Update Gravity SMTP to version 2.1.5 or later. This patch removes the unconditional true return from the permission_callback, requiring proper authentication before the endpoint returns data.
2. Rotate all API credentials configured in the plugin — Amazon SES keys, Google OAuth tokens, Mailjet keys, Resend keys, Zoho credentials. Assume any credentials live while you ran a vulnerable version are compromised.
3. Audit server logs for GET requests matching /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings. Check especially for requests from the known malicious IPs listed above.
4. Check your email provider dashboards for unexpected sending activity or unusual API usage.

Mitigations if Immediate Update Is Not Possible

• Disable the Gravity SMTP plugin temporarily.
• Block external access to /wp-json/gravitysmtp/ at the web server or WAF level.
• If using Wordfence Premium, ensure rules are up to date — a firewall rule was issued May 6, 2026.

Sources

• The Hacker News — Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
• Wordfence Blog — Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin
• TechTimes — WordPress Email Plugin Flaw Triggers 17 Million Attacks