Cybercriminals are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin, which has over 100,000 installations, to access sensitive configuration data and live email credentials. This flaw, identified as CVE-2026-4020 with a medium severity rating of 5.3, affects all versions up to and including 2.1.4.
The issue resides in the plugin’s REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, which lacks proper authentication and capability checks. By appending the query parameter page=gravitysmtp-settings to a request, attackers can retrieve a comprehensive JSON “System Report.” This report includes details such as PHP version, web server information, database specifics, WordPress configuration, active theme, and a list of active plugins with their versions. Critically, it also exposes API keys, secrets, and OAuth tokens for email integrations with providers like Amazon SES, Google, Mailjet, Resend, and Zoho.
Exploitation is straightforward; an unauthenticated GET request to the vulnerable endpoint suffices to extract the data. This ease of access has led to widespread automated scanning and harvesting by attackers. Security firm Wordfence has reported over 17 million blocked attack attempts, with a significant surge between June 7 and 11, 2026, reaching several million requests per day. Additionally, CrowdSec identified at least 412 distinct attacking IPs between May 27 and June 1, 2026, primarily originating from cloud and hosting services.
The plugin’s developers released a patched version, 2.1.5, on March 17, 2026. However, public disclosure of the vulnerability occurred on March 30, 2026, leaving many sites unprotected during the interim. Administrators are strongly advised to update to the latest version immediately to mitigate the risk of exploitation.
This incident underscores the critical importance of timely updates and vigilant monitoring of WordPress plugins. Vulnerabilities in widely-used plugins can serve as gateways for attackers to compromise websites, emphasizing the need for proactive security measures and regular audits of installed plugins.
