Active Exploitation Underway for Critical Information Disclosure Vulnerability in Gravity SMTP WordPress Plugin Affecting Over 100,000 Websites

Cahyo Dewo,

Threat actors are actively exploiting a recently identified and patched security flaw, tracked as CVE-2026-4020, within the Gravity SMTP WordPress plugin, which is currently installed on approximately 100,000 websites globally. This medium-severity vulnerability, possessing a CVSS score of 5.3, represents a significant information disclosure risk, enabling unauthenticated attackers to extract highly sensitive data including configuration details, API keys, secrets, and OAuth tokens that have been configured for the plugin’s email integration functionalities. The swift weaponization of this flaw underscores the persistent challenge of securing third-party components within popular content management systems and the urgent need for timely patching and proactive security measures by website administrators.

The Vulnerability Unpacked: An Unauthenticated API Endpoint

The core of CVE-2026-4020 lies in an improperly secured REST API endpoint within the Gravity SMTP plugin. Specifically, the endpoint located at /wp-json/gravitysmtp/v1/tests/mock-data was found to have a permission_callback function that unconditionally returned true. This critical oversight allowed any unauthenticated visitor to access the endpoint without requiring any form of authentication or authorization.

According to cybersecurity firm Wordfence, which extensively detailed the vulnerability, the endpoint’s behavior becomes particularly problematic when a specific query parameter, ?page=gravitysmtp-settings, is appended to the request. When this parameter is included, the plugin’s register_connector_data() method is invoked. This method, designed to populate internal connector data for legitimate administrative functions, inadvertently causes the endpoint to return a comprehensive JSON payload. This payload, weighing approximately 365 KB, constitutes the plugin’s full System Report, a treasure trove of operational data.

The sheer volume and nature of the data exposed are alarming. Attackers can leverage this vulnerability to retrieve an extensive range of information, including but not limited to:

  • API Keys and Secrets: Credentials for various third-party email services (e.g., SendGrid, Mailgun, Amazon SES, Google Workspace SMTP, Microsoft 365 SMTP), transactional email providers, and potentially other integrated services.
  • OAuth Tokens: Authorization tokens used to connect the WordPress site to external services without exposing raw credentials, which can be hijacked for unauthorized access.
  • Database Configuration Data: While not directly exposing database credentials, information about database type, host, and user can aid in further reconnaissance.
  • System Environment Details: PHP version, WordPress version, server operating system, web server software (Apache, Nginx), and other installed plugins and themes. This provides a detailed blueprint of the target system, significantly lowering the effort required for subsequent, more targeted attacks.
  • Email Server Details: SMTP host, port, encryption methods, and sender email addresses, which are crucial for crafting sophisticated phishing campaigns or spam operations.
  • Plugin-Specific Settings: Internal settings and configurations of Gravity SMTP itself, potentially revealing operational logic or additional hidden endpoints.

The exposure of live third-party API credentials is a particularly grave concern. With these credentials, an attacker could effectively "take over" the site’s connected email services, enabling them to send emails on behalf of the compromised website. This could range from distributing spam and malware to executing highly convincing phishing attacks targeting the site’s users, customers, or even internal staff, leveraging the legitimate domain reputation of the compromised site. Furthermore, the detailed system report provides a comprehensive reconnaissance platform, allowing attackers to identify other potential weaknesses or vulnerabilities in the site’s software stack, thereby serving as a foundational step for more advanced and destructive follow-on attacks.

A Rapidly Escalating Threat: The Exploitation Timeline

The exploitation of CVE-2026-4020 demonstrates a concerningly rapid response from malicious actors following the discovery and patching of the flaw. While the patch for the vulnerability was released in version 2.1.5 of the Gravity SMTP plugin, threat actors wasted no time in attempting to exploit the defect.

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Initial reports from Wordfence indicate that malicious activity targeting this vulnerability commenced as early as the start of May 2026. This initial phase likely involved reconnaissance and testing by various threat groups to confirm the exploitability of the flaw across a diverse range of WordPress installations. However, the intensity of these exploitation efforts dramatically escalated around June 6, 2026. This date marked a significant turning point, with attack attempts spiking sharply, touching an astonishing high of over 4,000,000 requests in a single day thereafter.

As of June 20, 2026, Wordfence has reported blocking more than 17 million exploit attempts targeting CVE-2026-4020 across the sites it protects. This staggering figure underscores the widespread and automated nature of these attacks, likely orchestrated by botnets or sophisticated scanning operations designed to identify and compromise vulnerable websites en masse. The persistent high volume of attacks, even after the availability of a patch, highlights the critical window between vulnerability disclosure and widespread remediation, which attackers are quick to leverage.

The exploit attempts have originated from a diverse set of IP addresses, suggesting a distributed attack infrastructure. Some of the notable IP addresses identified as sources of these malicious requests include:

  • 185.158.114.155
  • 195.123.237.135
  • 195.123.237.136
  • 195.123.237.137
  • 195.123.237.138
  • 195.123.237.139
  • 195.123.237.140
  • 195.123.237.141
  • 195.123.237.142
  • 195.123.237.143

These IP addresses likely belong to compromised servers, virtual private servers (VPS) rented for malicious purposes, or nodes within larger botnets, making attribution to a single threat actor or group challenging. The use of varied IP ranges further complicates blocking efforts and emphasizes the need for a multi-layered security approach.

Developer Response and Remediation

The developers of Gravity SMTP promptly addressed the vulnerability by releasing a patch in version 2.1.5 of the plugin. This swift action is commendable and crucial in mitigating the widespread impact of such flaws. The patch effectively closes the information disclosure vector by correctly implementing permission checks for the affected REST API endpoint, ensuring that only authenticated and authorized users can access sensitive system reports.

However, the efficacy of a patch is entirely dependent on its adoption by site administrators. The continued high volume of exploitation attempts clearly indicates that a significant number of websites have yet to update their Gravity SMTP plugin to the secure version. This delay can be attributed to various factors, including lack of awareness, insufficient patching routines, or reliance on automated updates that may not be configured for all plugins.

Implications for Webmasters and Site Owners

For site owners running a vulnerable version of the Gravity SMTP plugin (any version prior to 2.1.5), and especially those who have configured third-party email integrations, immediate action is paramount. The primary and most critical step is to update the plugin to the latest secure version (2.1.5 or higher) as soon as possible. This action will close the vulnerability and prevent further unauthorized data extraction.

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Beyond immediate patching, a proactive stance of assuming compromise is strongly advised for affected sites. This assumption necessitates several follow-up actions:

  1. Credential Rotation: All API keys, OAuth tokens, and potentially even user passwords (especially for administrative accounts) associated with any third-party email services or other integrations configured within Gravity SMTP must be immediately rotated. This means generating new credentials and revoking the old ones.
  2. Server Log Review: Site administrators should meticulously review their server log files for requests originating from the aforementioned malicious IP addresses. They should specifically look for unauthenticated HTTP GET requests directed at the /wp-json/gravitysmtp/v1/tests/mock-data API endpoint, particularly those including the ?page=gravitysmtp-settings query parameter. Evidence of such requests confirms successful information exfiltration.
  3. Security Audit: Conduct a comprehensive security audit of the entire WordPress installation. This includes checking for any newly created rogue administrator accounts, suspicious files uploaded to the server, or unauthorized modifications to existing files. Tools like integrity checkers and malware scanners can assist in this process.
  4. Monitoring: Implement enhanced monitoring for unusual outbound email activity, unexpected changes to site content, or abnormal resource utilization, which could indicate ongoing exploitation or post-exploitation activities.
  5. User Education: Remind users and staff about phishing risks, as attackers might leverage stolen email credentials to launch targeted campaigns.

The impact of this information disclosure can be far-reaching. Beyond the immediate threat of email hijacking, the detailed system report provides attackers with invaluable intelligence for crafting highly sophisticated, multi-stage attacks. This could include exploiting other known vulnerabilities in specific plugin versions, attempting brute-force attacks against identified services, or even leveraging the information to gain deeper access to the server infrastructure itself. The potential for reputational damage, loss of customer trust, and even regulatory fines (e.g., GDPR, CCPA) if personal identifiable information (PII) is indirectly exposed or misused through compromised email channels, cannot be overstated.

Broader Cybersecurity Context and Preventative Measures

The Gravity SMTP vulnerability serves as a stark reminder of the inherent security challenges within complex software ecosystems like WordPress. With tens of thousands of plugins and themes available, each introducing its own codebase and potential vulnerabilities, the attack surface for a typical WordPress site is vast. The prevalence of REST API vulnerabilities, where improper authentication or authorization checks expose sensitive functionalities or data, is a recurring theme in modern web application security.

This incident also highlights the critical importance of secure coding practices, particularly when developing public-facing APIs. Developers must ensure that all API endpoints have robust permission checks, adhering to the principle of least privilege, where access is granted only to those who explicitly require it and only after proper authentication.

Beyond patching, several best practices can help mitigate similar risks in the future:

  • Web Application Firewalls (WAFs): Implementing a robust WAF, such as Wordfence Security Premium, can provide an additional layer of defense by detecting and blocking malicious requests targeting known vulnerabilities or suspicious API access patterns. Many WAFs can be configured to block access to sensitive API endpoints for unauthenticated users.
  • Regular Security Audits and Penetration Testing: Periodically auditing the security posture of websites, including comprehensive penetration testing, can help identify vulnerabilities before they are exploited by malicious actors.
  • Principle of Least Privilege: Ensure that plugins and themes only have the necessary permissions to function, and limit the exposure of sensitive configuration data to the bare minimum.
  • Secure Development Lifecycle: Developers should integrate security considerations throughout the entire software development lifecycle, from design to deployment and maintenance.
  • Automated Updates and Monitoring: While manual review is important, enabling automated updates for minor plugin versions can help ensure timely patching. Furthermore, continuous monitoring for unusual activity is crucial for early detection of exploitation attempts.
  • Credential Management: Implement strong password policies, multi-factor authentication (MFA) for all administrative accounts, and use secure credential storage mechanisms. API keys and secrets should ideally be stored in environment variables or secure vaults, not directly within code or easily accessible configuration files.
  • Network Segmentation: For larger organizations, segmenting networks can limit the lateral movement of attackers if one part of the infrastructure is compromised.

The ongoing exploitation of CVE-2026-4020 in the Gravity SMTP plugin is a clear signal that the cybersecurity landscape remains dynamic and unforgiving. While developers are working diligently to secure their products, the ultimate responsibility for website security rests with the administrators. Timely updates, vigilance, and adherence to robust security practices are not merely recommendations but essential requirements in safeguarding digital assets against an ever-evolving threat landscape. Staying informed through reputable cybersecurity news sources, like Google News, Twitter, and LinkedIn, is crucial for reacting swiftly to emerging threats.

Cybersecurity & Digital Privacy