Threat actors are actively exploiting a critical security flaw in the widely used Gravity SMTP WordPress plugin to extract sensitive configuration data, including API keys and authentication tokens.
The vulnerability, tracked as CVE-2026-4020 with a CVSS score of 5.3, affects all versions up to and including 2.1.4 and exposes more than 100,000 websites to potential compromise.
The issue stems from an improperly secured REST API endpoint /wp-json/gravitysmtp/v1/tests/mock-data which lacks authentication checks because it’s permission_callback always returns true.
Gravity SMTP Vulnerability
This misconfiguration allows unauthenticated attackers to invoke the endpoint and retrieve a comprehensive system report by appending the query parameter ?page=gravitysmtp-settings.
The response returns approximately 365 KB of JSON data, exposing sensitive environment details such as PHP version, active plugins, database configuration, and, most critically, API credentials for third-party email services.
Wordfence revealed that the exposed data may include OAuth tokens and API keys for services such as Amazon SES, Google, Mailjet, Zoho, and Resend.
This enables attackers to hijack email functionality, impersonate legitimate domains, or pivot further into targeted attacks using reconnaissance data gathered from the exposed system report.
The vulnerability was responsibly disclosed on March 30, 2026, after the vendor released a patched version, 2.1.5, on March 17, 2026. Despite its moderate CVSS rating, exploitation has surged significantly in recent weeks.
According to Wordfence telemetry, the firewall has blocked more than 17 million attack attempts to date.
The most intense activity occurred between June 7 and June 11, 2026, with a peak of over 4 million blocked requests recorded on June 7 alone.
The attack requires only a single unauthenticated HTTP GET request, making it trivial to exploit at scale and highly attractive for automated scanning campaigns.
In response to active exploitation, Wordfence deployed firewall protections to premium users on May 5, 2026, with free users receiving coverage on June 4, 2026 outside the standard disclosure workflow, after researchers observed real-world attack activity escalating beyond initial severity assessments.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| URL Path | /wp-json/gravitysmtp/v1/tests/mock-data | Vulnerable REST API endpoint |
| Full URL | /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings | Exploit request to dump credentials |
| IP Address | 45[.]148[.]10[.]95 | 642,000+ blocked attempts |
| IP Address | 193[.]32[.]162[.]60 | 586,000+ blocked attempts |
| IP Address | 176[.]65[.]148[.]139 | 539,000+ blocked attempts |
| IP Address | 173[.]199[.]90[.]188 | 460,000+ blocked attempts |
| HTTP Method | GET | Method used in exploitation |
| Affected Versions | <= 2.1.4 | Vulnerable to unauthenticated data theft |
| Patched Version | 2.1.5 | Closes the information exposure |
Mitigation
Security experts strongly advise administrators to update to Gravity SMTP version 2.1.5 or later immediately. Because the vulnerability does not modify files or inject payloads, traces of compromise may only exist in web server access logs making proactive log review critical.
Any exposed API keys, secrets, or OAuth tokens should be considered compromised and rotated without delay. Organizations should also monitor logs for anomalous requests to the vulnerable endpoint and restrict unauthorized REST API access at the perimeter level.
This incident underscores how seemingly low-severity vulnerabilities can escalate into high-impact threats when sensitive credentials are exposed, particularly on widely deployed platforms like WordPress.
No Comment! Be the first one.