Threat actors are actively exploiting a recently patched security vulnerability in Gravity SMTP, a WordPress plugin installed on approximately 100,000 websites worldwide. The flaw, tracked as CVE-2026-4020 and assigned a CVSS score of 5.3, has been classified as a medium severity information disclosure vulnerability. Security researchers warn that the issue can enable unauthenticated attackers to access sensitive information, including configuration details, API keys, secrets, and OAuth tokens associated with the plugin’s email service integrations. The vulnerability has raised concerns due to the potential exposure of critical credentials that could be misused to compromise email services connected to affected websites.
According to Wordfence, the vulnerability stems from a REST API endpoint located at “/wp-json/gravitysmtp/v1/tests/mock-data” that contains a permission callback configured to always return a positive response. As a result, any visitor can access the endpoint without authentication. Researchers explained that when the query parameter “?page=gravitysmtp-settings” is added to a request, the plugin’s register_connector_data() method loads internal connector information and generates a detailed system report. This report, which can exceed 365 KB of JSON data, may reveal extensive information about the affected website and its hosting environment. The exposed data can include the PHP version in use, installed extensions, web server details, document root paths, database server type and version, WordPress version, active plugins and their versions, active themes, WordPress configuration settings, database table names, and other operational details. More critically, the report may also contain API keys and authentication tokens configured for third party email providers such as Amazon SES, Google, Mailjet, Resend, and Zoho. The availability of this information significantly increases the risk to affected organizations because attackers can gain insight into both the website’s infrastructure and external services connected to it.
Security experts noted that the impact of the vulnerability depends largely on the nature of the information exposed. In this case, the disclosure of active API credentials could allow malicious actors to misuse connected email services to send messages on behalf of affected websites. At the same time, access to detailed system information can help attackers identify additional weaknesses and plan further intrusion attempts. Wordfence stated that the extensive system report lowers the effort required for threat actors to map an organization’s software environment and identify potential targets for future attacks. Such intelligence can become a valuable resource for conducting reconnaissance activities before launching more advanced exploitation efforts against vulnerable systems.
A security update addressing CVE-2026-4020 has been released in Gravity SMTP version 2.1.5. However, threat actors have already begun exploiting the flaw in the wild by sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint while appending the “?page=gravitysmtp-settings” parameter. These requests cause affected servers to return sensitive information without requiring any login credentials. Wordfence reported that it has blocked more than 17 million exploitation attempts targeting the vulnerability. Monitoring data indicates that malicious activity began in early May 2026 and increased sharply around June 6, 2026, reaching more than four million requests within a single day. The exploitation attempts have been linked to several IP addresses, including 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30. Site owners using vulnerable versions of Gravity SMTP and relying on third party email integrations are advised to update to version 2.1.5 immediately, rotate all exposed credentials, and review server logs for requests originating from the identified IP addresses or any unusual access to the affected API endpoint.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
