The Gravity SMTP WordPress plugin — an email delivery plugin by the creators of Gravity Forms — contains a critical unauthenticated information disclosure vulnerability (CVE-2026-4020) that exposes live email API credentials to any HTTP request. No authentication, no nonce, no user session required. The vulnerability affects all versions at or below 2.1.4, and it is being actively exploited at massive scale: Wordfence has blocked over 17 million attack attempts, including 4 million in a single day on June 7, 2026.

If you are running Gravity SMTP ≤2.1.4, treat your SendGrid, Mailgun, SES, Postmark, and OAuth credentials as compromised and rotate them immediately after updating.

CVE Reference

  • CVE: CVE-2026-4020
  • CVSS: HIGH
  • Affected versions: Gravity SMTP ≤ 2.1.4 (100,000+ active installs)
  • Patched version: 2.1.5
  • Active Exploitation: YES — 17M+ blocked attempts; 4M in 24 hours on June 7, 2026

What the Vulnerability Does

Gravity SMTP stores email provider credentials — API keys, OAuth tokens, and SMTP passwords — so it can send WordPress transactional emails through services like SendGrid, Mailgun, Amazon SES, Postmark, and others. CVE-2026-4020 is an unauthenticated information disclosure: the plugin exposes a REST API endpoint or AJAX action that returns these stored credentials without any authentication check.

An attacker sends a single HTTP request to the vulnerable endpoint and receives back the plaintext API key or OAuth token that the site owner configured. With a live SendGrid API key, an attacker can:

  • Send bulk spam or phishing email using your account and domain reputation
  • Exhaust your sending limits, causing legitimate emails to fail
  • Extract your entire SendGrid contact list if the key has sufficient permissions
  • Access SendGrid's template and suppression data

The same applies to Mailgun API keys (domain-level send and receive access), Amazon SES credentials (full AWS SDK access if IAM permissions are broad), and OAuth tokens for Microsoft 365 or Google Workspace mail.

Why the Attack Volume Is So High

17 million attempts is an extraordinary number even by WordPress vulnerability standards. Several factors explain it:

  1. Gravity Forms is one of the most widely deployed premium WordPress plugins — it powers forms on hundreds of thousands of sites. Gravity SMTP is the natural email companion plugin, meaning attackers correctly infer high install counts.
  2. The attack is trivially automatable. A single unauthenticated HTTP request returns credentials — no brute force, no session management, no complexity. Bots can scan millions of WordPress sites in hours.
  3. Email API keys have immediate monetizable value. Stolen SendGrid and Mailgun credentials are sold on criminal markets for spam sending and phishing infrastructure. Attackers moved quickly once PoC became available.

Immediate Action: Update to 2.1.5

Update Gravity SMTP to version 2.1.5 or later immediately through WordPress Admin → Plugins → Updates. If you have auto-updates disabled for premium plugins, log into your Gravity Forms account to download the latest release and upload it manually.

After updating, confirm the version number in Plugins → Installed Plugins before proceeding.

Rotate All Email Credentials — Even If You Think You Weren't Hit

Given 17 million automated scan attempts, assume that if you were running a vulnerable version at any point after the vulnerability became known, your credentials were harvested. Rotate everything:

SendGrid

  1. Log into SendGrid → Settings → API Keys
  2. Delete the API key currently configured in Gravity SMTP
  3. Create a new API key with only the permissions Gravity SMTP requires (typically "Mail Send" only)
  4. Update the key in Gravity SMTP → Settings → Email Providers → SendGrid

Mailgun

  1. Log into Mailgun → Account → API Keys
  2. Delete the compromised private API key
  3. Generate a new key and update it in Gravity SMTP
  4. Check Mailgun logs for any unauthorized sends from your domain

Amazon SES

  1. Log into AWS Console → IAM → Users
  2. Find the IAM user whose access key is configured in Gravity SMTP
  3. Deactivate and delete the exposed access key
  4. Create a new access key with the minimum necessary SES permissions
  5. Review AWS CloudTrail logs for any API calls made using the old key

OAuth Tokens (Microsoft 365 / Google Workspace)

  1. Revoke the OAuth application authorization in your Microsoft 365 or Google Workspace admin console
  2. Re-authorize Gravity SMTP with a fresh OAuth flow after updating to 2.1.5

Check for Unauthorized Email Sends

After rotating credentials, review your email provider's sending logs for the period covering your exposure window:

  • SendGrid: Activity Feed → filter by date range → look for unexpected recipient domains or message subjects
  • Mailgun: Logs → filter by date → flag any sends you didn't initiate
  • SES: CloudWatch → SES metrics → SendingStatistics → look for unexpected send volume spikes

If you find evidence of unauthorized sends using your credentials, you may have an email abuse or spam complaint situation. Contact your email provider's abuse team and document the incident.

Verify You Have Gravity SMTP (It May Not Be Obvious)

If you use Gravity Forms, check your installed plugins for Gravity SMTP — it may have been installed by a developer or agency without your direct knowledge. Go to WordPress Admin → Plugins → Installed Plugins and search for "Gravity SMTP."

Sources