Threat actors are exploiting a recently disclosed security flaw affecting Gravity SMTP, a WordPress plugin installed on nearly 100,000 sites.
Vulnerability, followed by CVE-2026-4020 (CVSS Score: 5.3), is a moderately sensitive information disclosure flaw that could allow unauthorized attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens configured for the plugin’s email integration.
“This is caused by a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with permit_callback that returns true unconditionally, allowing any unauthorized visitor to access it,” Wordfence said.
“When the ?page=gravitysmtp-settings query parameter is attached, the plugin’s register_connector_data() method populates the internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report.”
As a result, an unauthenticated attacker could exploit this vulnerability to retrieve a wide range of information, including –
- PHP version
- Loaded extensions
- Web server version
- Document root path
- Database server type and version
- WordPress version
- All active plugins have versions
- Active theme
- WordPress configuration details
- Database table names
- API keys/tokens configured in the plugin, such as Amazon SES, Google, Mailjet, Resend, and Zoho
Attackers may use this exposure to harvest credentials that can be compromised to send email on behalf of the site, as well as to obtain extensive information about the site’s software stack, which may serve as a basis for subsequent attacks.
“As with all sensitive information disclosure risks, the impact depends on what data is exposed,” Wordfence added. “In this case, the exposure of the live details of the third-party API means that an attacker can abuse the connected email services of the site, while the detailed system report significantly reduces the effort required to plan additional attacks against the site.”
A patch for the vulnerability was released in version 2.1.5 of the plugin. Bad actors have already exploited the flaw by sending unauthorized HTTP GET requests to a vulnerable REST API endpoint with the query parameter “?page=gravitysmtp-settings”, causing the server to return important information about the site without requiring any authentication.
Wordfence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date, with the first activity starting in early May 2026 before peaking on June 6, 2026, affecting more than 4,000,000 peak requests the following day. The exploit attempts originate from the following IP addresses –
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Site owners using a vulnerable version of the Gravity SMTP plugin and configuring third-party email integration should consider the vulnerability, and rotate information after updating the plugin to the latest version as soon as possible. It is also advised to review the server log files for requests from the above mentioned IP addresses for any suspicious requests to the API endpoint.
