Gravity SMTP CVE-2026-4020 is no longer just a patched WordPress plugin bug. Attackers are now mass-scanning for sites that still run Gravity SMTP 2.1.4 or older, because one exposed REST endpoint can return email-service credentials and a detailed system report without requiring a login.[1]
The plugin is used to route WordPress mail through providers such as Amazon SES, Google, Mailjet, Resend, Zoho, and other SMTP/API integrations. Wordfence says the vulnerable endpoint is /wp-json/gravitysmtp/v1/tests/mock-data; when a request adds ?page=gravitysmtp-settings, the response can include roughly 365 KB of configuration data, including API keys, secrets, OAuth tokens, plugin versions, theme details, server information, database table names, and WordPress configuration clues.[1][2]
The severity score looks moderate at CVSS 5.3, but the operational risk is higher than that number suggests. A stolen mail credential can let an attacker send password-reset lures, abuse a trusted domain for phishing, burn a company’s email reputation, or use the site’s software inventory to plan the next step. This is close in spirit to recent WordPress abuse chains we covered in the OptinMonster supply-chain backdoor case and the SocGholish WordPress cleanup story: the first visible bug is only part of the incident response.
What site owners should check now
Affected scope: Gravity SMTP versions up to and including 2.1.4 are vulnerable. Version 2.1.5 is the patched release, and WPScan also lists the issue as fixed in 2.1.5.[2][5] Sites without Gravity SMTP are not affected by this CVE; sites that updated after exposure should still treat old email-provider keys as potentially leaked if the plugin was configured before patching.
Wordfence reported more than 17 million blocked exploit attempts, with the heaviest activity between June 7 and June 11, 2026; The Hacker News reported a spike of more than 4 million requests in one day and listed prolific source IPs such as 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, and 185.8.107.155.[1][3] BleepingComputer separately highlighted the endpoint and parameter as a practical indicator of compromise for web-server access logs.[4]
The immediate response is straightforward: update Gravity SMTP to 2.1.5 or newer, then rotate every mail credential that was configured in the plugin before the patch. Do not stop at the WordPress update screen. Revoke or regenerate API keys and OAuth tokens in the upstream email provider, review sender identities and SMTP/API activity, and look for unusual mail volume or new sending errors. If the site sits behind a WAF, add a temporary detection or block rule for unauthenticated requests to the mock-data endpoint while you confirm the patch state.
For triage, search access logs for /wp-json/gravitysmtp/v1/tests/mock-data, especially requests containing page=gravitysmtp-settings. Preserve suspicious hits with timestamp, source IP, user agent, status code, response size, and the hostname that received the request. If credentials were exposed, treat this like a real secret leak rather than a routine plugin update. The same logic applies to other exploited WordPress plugin incidents such as the Everest Forms Pro CVE-2026-3300 attacks: patching closes the door, but logs and downstream accounts tell you whether someone already walked through it.
References
[1] Wordfence, “Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin,” June 17, 2026.
[2] Wordfence Intelligence, “Gravity SMTP <= 2.1.4 – Unauthenticated Sensitive Information Exposure via REST API,” CVE-2026-4020.
[3] The Hacker News, “Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys,” June 20, 2026.
[4] BleepingComputer, “Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin,” June 19, 2026.
[5] WPScan, “Gravity SMTP < 2.1.5 – Unauthenticated Sensitive Information Exposure via REST API,” last updated June 19, 2026.
Leave a Comment