Gravity SMTP CVE-2026-4020 exploitation

Summary

CVE-2026-4020 is an unauthenticated sensitive-information-exposure flaw in the Gravity SMTP WordPress plugin. NVD describes the issue as a REST API endpoint, /wp-json/gravitysmtp/v1/tests/mock-data, whose permission callback returns true for unauthenticated visitors; adding ?page=gravitysmtp-settings can cause the endpoint to return the plugin's full System Report, including site configuration details and configured email-provider API keys or OAuth tokens.

The durable threat-intelligence value is active exploitation against a high-install WordPress email plugin. The Hacker News reported on 2026-06-20, citing Wordfence, that attackers were actively exploiting the flaw on a plugin installed on about 100,000 sites.

Tags

• ops
• operations
• WordPress
• Gravity SMTP
• CVE-2026-4020
• sensitive information exposure
• API key exposure
• OAuth token exposure
• email infrastructure abuse
• active exploitation
• web application
• CMS

Why this matters

• Gravity SMTP commonly stores credentials for outbound email integrations; disclosure can expose Amazon SES, Google, Mailjet, Resend, Zoho, and similar provider tokens.
• Exposed mail-provider credentials can be abused for authenticated spam, phishing, business-email impersonation, and reputation damage from legitimate customer infrastructure.
• The leaked System Report also gives attackers version, plugin, theme, path, database, and environment details that can support follow-on WordPress exploitation.
• The flaw is unauthenticated and automatable, so defenders should treat exposed vulnerable sites as potential credential-disclosure incidents, not only as patch-management findings.

Operational characteristics

• Affected product: Gravity SMTP WordPress plugin.
• Affected versions: all versions up to and including 2.1.4, according to NVD.
• Fixed version: Gravity SMTP 2.1.5 added security enhancements on 2026-03-25 according to the vendor changelog.
• Vulnerable path: /wp-json/gravitysmtp/v1/tests/mock-data with ?page=gravitysmtp-settings.
• Privilege requirement: unauthenticated remote attacker.
• Exposed data described by NVD: PHP version, loaded extensions, web-server version, document root path, database type and version, WordPress version, active plugins and versions, active theme, WordPress configuration details, database table names, and configured plugin API keys or tokens.
• Observed activity: The Hacker News reported active exploitation on 2026-06-20 and attributed the underlying exploitation telemetry to Wordfence.

Defender heuristics

• Upgrade Gravity SMTP to 2.1.5 or later; if patching cannot be verified quickly, disable the plugin on internet-facing WordPress sites.
• Search web access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially requests with page=gravitysmtp-settings; preserve relevant logs before cleanup.
• Rotate credentials for all email providers configured in Gravity SMTP, including Amazon SES, Google, Mailjet, Resend, Zoho, SMTP passwords, OAuth grants, and any provider API keys shown in plugin settings.
• Review provider-side mail logs for unusual sender identities, sending spikes, new API activity, unexpected OAuth use, and messages sent after the first suspected exposure.
• Inventory exposed plugin, theme, WordPress, PHP, and database versions returned by the System Report and prioritize follow-on patching for any internet-reachable vulnerable components.
• Hunt for chained WordPress compromise: new administrator users, changed plugin/theme files, unexpected scheduled tasks, modified .htaccess, suspicious PHP in uploads directories, and changes to wp-config.php.
• Where exploitation is confirmed, treat the site as an incident: preserve web logs and database evidence, rotate WordPress and hosting credentials, and check whether leaked email credentials were reused in other systems.

Related pages

• Everest Forms Pro CVE-2026-3300 exploitation
• WP Maps Pro CVE-2026-8732 exploitation
• Operation Endgame SocGholish disruption

Sources

• The Hacker News: https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-4020
• Wordfence blog: https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/
• Wordfence vulnerability record: https://www.wordfence.com/threat-intel/vulnerabilities/id/12a296db-ecc0-409b-8718-0c208504053a?source=cve
• Gravity SMTP changelog: https://docs.gravitysmtp.com/gravity-smtp-changelog/