CVE-2026-4020: Gravity SMTP WordPress Plugin Exploited
Hoplon InfoSec
21 Jun, 2026
Content Summary
Gravity SMTP, a WordPress plugin used for email delivery, was found to expose sensitive system data through an unauthenticated REST API endpoint. In plain English, that means an outsider could pull back a detailed report from the site without logging in, including API keys, OAuth tokens, server details, plugin versions, and other information that can help an attacker plan the next move. Wordfence says the plugin is estimated to have about 100,000 active installations, and it has already blocked over 17 million exploit attempts against this issue.
Quick Comparison Table
|
Item |
Details |
Why it matters |
|
CVE |
CVE-2026-4020 |
This is the tracking ID for the flaw. |
|
Affected versions |
Gravity SMTP up to 2.1.4 |
Sites on these versions are exposed. |
|
Patched version |
2.1.5 |
This is the version users should move to. |
|
Severity |
CVSS 5.3, Medium |
The score is medium, but the real-world impact can still be serious if secrets are exposed. |
|
Exposed data |
System report, API keys, OAuth tokens, server stack details |
This can help attackers steal mail access and plan follow-up attacks. |
|
Attack scale |
Over 17 million blocked attempts |
The issue is being actively scanned and abused in the wild. |
Gravity SMTP Vulnerability CVE-2026-4020 Explained
A small mistake in a plugin can create a big headache for a website owner. That is exactly what happened with Gravity SMTP, a WordPress plugin that helps sites send email reliably. A flaw in one REST API endpoint allowed unauthenticated visitors to pull back sensitive system data. That data could include API keys, OAuth tokens, server information, installed plugin versions, and other details that attackers love because it makes their next step easier.
The issue is tracked as CVE-2026-4020. Wordfence lists it as a medium severity information disclosure flaw with a CVSS score of 5.3, while the NVD description explains that the vulnerable endpoint was exposed through /wp-json/gravitysmtp/v1/tests/mock-data, where the permission check always returned true. When the ?page=gravitysmtp-settings parameter is added, the plugin can return a large System Report JSON payload of roughly 365 KB.
What happened, in simple terms
Think of the plugin as a locked drawer that stores site mail settings. The problem was that one of the locks was not really working. Because the REST API permission check always returned true, any visitor could ask for the data without being logged in. If the site had email services connected inside Gravity SMTP, the exposed report could also include live credentials that were never meant to be public.
That is why this kind of bug matters. It may not be remote code execution, but it gives an attacker a clean view of the target. Once a threat actor sees the WordPress version, active plugins, web server version, database type, and document root path, they can map out weak spots and prepare a more targeted attack.
| Attribute | Detail |
|---|---|
| CVE ID | CVE-2026-4020 |
| CVSS Score | 5.3 (Medium) |
| Vulnerability Type | Unauthenticated Sensitive Information Disclosure |
| Affected Plugin | Gravity SMTP |
| Affected Versions | All versions before 2.1.5 |
| Patched Version | 2.1.5 |
| Active Installations | ~100,000 |
| Authentication Required | None |
| Exploit Complexity | Low (single HTTP GET request) |
| Discovered By | Wordfence Security |
| Exploit Attempts Blocked | 17+ million (as of June 2026) |
Why this is a real-world risk
This flaw is not only about leaked technical details. Wordfence says the problem can expose API keys, secrets, and OAuth tokens tied to the plugin’s email integrations. That includes services such as Amazon SES, Google, Mailjet, Resend, and Zoho. If those credentials are stolen, an attacker may be able to send email on behalf of the site, damage domain reputation, or use the site as a stepping stone for phishing and follow-up abuse.
That is why a medium CVSS score does not always mean low pain. The score reflects a technical rating, but the actual damage depends on what gets exposed. In this case, live credentials and a full system report can make the blast radius much larger than the score suggests.
How attackers are abusing it
Wordfence says it has already blocked over 17 million exploit attempts against CVE-2026-4020. Its report also says exploitation rose sharply in early June 2026, with the biggest spike on June 7, 2026, when more than 4 million requests were blocked in a single day. The same report lists several source IP addresses that were seen repeatedly targeting the vulnerable endpoint.
That tells an important story. Attackers are not waiting around. They are scanning at scale, firing unauthenticated GET requests at the endpoint, and looking for any site that has not been updated yet. Once they find one, they can harvest sensitive data with very little effort.
What was fixed
Gravity Forms says version 2.1.5 includes important security enhancements and recommends updating as soon as possible. The changelog also shows that 2.1.5 was released on March 25, 2026, with a simple but important security improvement note. Wordfence says the vendor had already released the fully patched version by March 17, 2026, and urges site owners to update and rotate exposed credentials.
Even if a site is already behind a firewall, the safe move is still to update the plugin, review logs, and rotate any secrets that may have been exposed. A firewall can block some attacks, but it does not erase data that may already have leaked.
| Exposed Data | Why Attackers Want It | Potential Attack Use |
|---|---|---|
| PHP Version & Extensions | Identifies known PHP CVEs for that specific version | Exploit unpatched PHP interpreters or dangerous extension configs |
| Web Server Version | Narrows down Apache/Nginx-specific vulnerability databases | Server-level exploit chaining, header injection, path traversal |
| Document Root Path | Maps the server's file system layout | Directory traversal, local file inclusion attacks |
| Database Server Type & Version | Identifies MySQL/MariaDB version-specific SQL bugs | Precision-targeted SQL injection, version-specific exploits |
| WordPress Version | Enables WordPress core CVE matching | Known core vulnerability exploitation if unpatched |
| All Active Plugins with Versions | Complete software inventory for vulnerability lookups | Cross-reference each plugin version against exploit databases |
| Active Theme | Theme-specific vulnerabilities are common | Theme CVE lookup, template injection, SSRF via theme functions |
| WordPress Configuration Details | Reveals environment settings and potential misconfigurations | Debug mode status, table prefix, salts-related info |
| Database Table Names | Eliminates guesswork from SQL attacks | Precision SQL injection, targeted data extraction |
| API Keys (SES, Google, Mailjet, Resend, Zoho) | Fully functional credentials for live email services | Send phishing/spam emails, abuse sending reputation, billing fraud |
| OAuth Tokens | Access tokens for connected Google/Microsoft accounts | Access linked accounts, impersonate the site's email identity |
What site owners should do right now
Start by checking the installed version of Gravity SMTP. If it is 2.1.4 or older, update to 2.1.5 immediately. Then review your mail integration accounts and rotate any credentials that may have been visible in the System Report. Wordfence specifically advises checking server logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially those containing ?page=gravitysmtp-settings.
After that, audit outbound mail activity. Look for unexpected sending patterns, odd login activity, and changes to email routing or API usage. If the site is business critical, treat the exposure as a possible compromise until you have checked the logs and rotated secrets. That is the safest assumption because the issue exposes live integration data, not just harmless metadata.
What developers should learn from this
This bug is a reminder that REST API endpoints must never expose sensitive data without real access control. A permission callback that always returns true is essentially an open door. Production endpoints should verify the request properly, keep secrets out of unauthenticated responses, and avoid shipping test or mock data endpoints that can leak internal state. The NVD description makes it clear that this flaw was caused by that exact kind of access control failure.
Good plugin security is not only about patching after the fact. It is about designing endpoints so that a single mistake cannot reveal the whole system report. That means tighter permission checks, careful handling of sensitive fields, and fewer secrets stored where a public endpoint can reach them.
Why this belongs in every WordPress security playbook
This case is a textbook example of information disclosure turning into a bigger incident. A public endpoint exposed the kind of data that helps attackers understand the site, its stack, and its connected email services. Wordfence’s incident response guidance is simple and practical: update, review logs, and rotate any affected credentials. NVD and Gravity Forms both confirm the vulnerability and the patch path.
For site owners, the lesson is not to panic. It is to act fast. Patch first, inspect second, rotate third, and then harden the site so the same kind of issue is less likely to hurt you again.
Conclusion
Gravity SMTP CVE-2026-4020 shows how a medium severity bug can still create serious exposure when the leaked data includes real credentials and a full system report. Wordfence reports more than 17 million blocked exploit attempts, and the official advisories all point to the same response: update to 2.1.5, review logs, and rotate any potentially exposed secrets.
For site owners, this is a reminder that plugin security is not a background task. It is part of keeping the business running safely. For developers, it is a reminder that one open endpoint can undo a lot of good work.
Official References and Further Reading
Wordfence Security Advisory: Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin
NIST National Vulnerability Database: CVE-2026-4020 Detail
Gravity SMTP Plugin Changelog: Version 2.1.5 Release Notes on WordPress.org
WordPress REST API Security Documentation: WordPress Developer Handbook: Permission Callbacks
MITRE CVE Database: CVE-2026-4020 Entry
Relevant blogs :
- Klue Salesforce Data Breach: OAuth Token Attack → OAuth token section
- FortiBleed: 74,000 Fortinet Credentials Leaked → Credential leak / API key section
- JCE Vulnerability & WordPress Attacks: CMS Security Guide → WordPress vulnerability section
- AI Supply Chain Attacks: How Plugins & Extensions Steal Keys → Supply chain / API key theft section
- AryStinger Botnet Hijacks 4,000+ Routers → Botnet / automated scanning section
- Cybersecurity News This Week: Breaches & Zero-Days → Broader context section
- FortiSandbox Vulnerability Exploit → Patch analysis / vulnerability exploitation section
Was this article helpful?
React to this post and see the live totals.
Share this :