Cybercriminals are actively exploiting a security vulnerability in the Gravity SMTP plugin for WordPress, which is installed on approximately 100,000 websites. This flaw, identified as CVE-2026-4020 with a CVSS score of 5.3, allows unauthenticated attackers to access sensitive information, including configuration data, API keys, secrets, and OAuth tokens used for the plugin’s email integrations.
The issue arises from a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data that lacks proper permission checks, permitting any visitor to access it. By appending the query parameter ?page=gravitysmtp-settings, attackers can trigger the plugin’s register_connector_data() method, resulting in the exposure of a comprehensive JSON system report. This report includes details such as PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, active plugins and themes, WordPress configuration details, database table names, and API keys or tokens configured in the plugin for services like Amazon SES, Google, Mailjet, Resend, and Zoho.
With access to this information, malicious actors can misuse the site’s email services and gain insights into the site’s software stack, potentially facilitating further attacks. The vulnerability has been addressed in version 2.1.5 of the Gravity SMTP plugin. However, attackers have been exploiting this flaw by sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the specified query parameter, thereby retrieving valuable site information without authentication.
Security firm Wordfence has reported blocking over 17 million exploit attempts targeting CVE-2026-4020, with a significant surge in activity around June 6, 2026, reaching over 4 million requests in a single day. The exploit attempts have been traced back to several IP addresses, including 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30.
Website administrators using vulnerable versions of the Gravity SMTP plugin with third-party email integrations should assume their credentials may have been compromised. It is crucial to update the plugin to the latest version promptly and rotate all associated credentials. Additionally, reviewing server logs for requests from the aforementioned IP addresses to the API endpoint is recommended to identify any suspicious activity.
This incident underscores the importance of regular plugin updates and vigilant monitoring of website security. The exploitation of such vulnerabilities can lead to unauthorized access and misuse of sensitive data, highlighting the need for proactive security measures and prompt response to identified threats.
