Threat actors are taking advantage of a recently patched security flaw affecting Gravity SMTP, a WordPress plugin installed on approximately 100,000 sites.
Vulnerability, tracked as CVE-2026-4020 (CVSS Score: 5.3), contains a medium-severity information disclosure flaw that could allow unauthenticated attackers to extract sensitive data such as configuration data, API keys, secrets, and OAuth tokens used for the plugin’s email integration.
“This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that returns unconditional true, allowing any unauthenticated visitor to use it,” said Wordfence.
“When the ?page=gravitysmtp-settings query parameter is added, the plugin’s register_connector_data() method populates the internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full system report.”
As a result, an unauthenticated attacker can weaponize the issue and obtain a wide range of information, including –
- PHP version
- loaded extensions
- web server version
- document root path
- Database Server Type and Version
- wordpress version
- All active plugins with versions
- active topic
- WordPress configuration details
- database table name
- API key/token configured in the plugin, such as Amazon SES, Google, Mailjet, ReSend, and Zoho
Attackers can then take advantage of this exposure to obtain credentials that can be misused to send emails on behalf of the site, as well as comprehensive details of the site’s software stack, which can serve as a basis for follow-on attacks.
“As with all sensitive information vulnerabilities, the impact depends on what data is exposed,” Wordfence said. “In this case, the exposure of live third-party API credentials means an attacker can abuse the email services connected to the site, while the detailed system report significantly reduces the effort required to plan further attacks against the site.”
A patch for the vulnerability has been released in version 2.1.5 of the plugin. Bad actors have already attacked the flaw by sending unauthenticated HTTP GET requests to an unsecured REST API endpoint with the “?page=gravitysmtp-settings” query parameter, allowing the server to return valuable information about the site without requiring any authentication.
WordFence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date, with initial activity beginning in early May 2026 and before increasing dramatically around June 6, 2026, hitting a high of more than 4,000,000 requests a day later. The exploit attempts originated from the following IP addresses –
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Site owners running a vulnerable version of the Gravity SMTP plugin and configuring third-party email integration should compromise, and rotate credentials after updating the plugin to the latest version as soon as possible. It is also advisable to review the server log files for requests coming from the above IP addresses for any suspicious requests to the API endpoint.
