A critical security flaw, tracked as CVE-2026-4020, in the Gravity SMTP WordPress plugin has allowed unauthenticated attackers to extract sensitive API keys and system configuration data from an estimated 100,000 websites. Threat actors are actively exploiting this medium-severity vulnerability, prompting urgent updates and credential rotation for affected site administrators.
Widespread WordPress Plugin Flaw Under Active Exploitation
A significant information disclosure vulnerability within the Gravity SMTP WordPress plugin is currently being exploited by malicious actors, compromising sensitive data on numerous websites. This flaw, identified as CVE-2026-4020, enables unauthorized access to critical API keys and detailed system information without requiring any authentication.
Vulnerability Details and Active Exploitation Timeline
The vulnerability, rated with a CVSS score of 5.3, affects all versions of the Gravity SMTP plugin up to and including 2.1.4. Developed by Rocketgenius, the creators of Gravity Forms, Gravity SMTP is designed to enhance email deliverability for WordPress sites, integrating with various third-party email services. The core issue lies in an improperly secured REST API (Representational State Transfer Application Programming Interface) endpoint at /wp-json/gravitysmtp/v1/tests/mock-data. This endpoint's permission_callback function unconditionally returns true, allowing any unauthenticated visitor to access it. When a specific query parameter (?page=gravitysmtp-settings) is appended, the plugin's internal methods are triggered, causing the endpoint to return a comprehensive 365 KB JSON System Report. This report contains a wealth of sensitive information, including PHP and web server versions, WordPress configuration details, active plugins, database table names, and crucially, API keys and OAuth tokens for integrated email services like Amazon SES, Google, Mailjet, Resend, and Zoho.
Wordfence, a prominent WordPress security firm, publicly disclosed the vulnerability on March 30, 2026, following the vendor's release of a patch in version 2.1.5 on March 17, 2026. Despite the patch availability, active exploitation began in early May 2026. Wordfence reported blocking over 17 million exploitation attempts since then, with a significant spike of 4 million requests blocked on June 7, 2026. Security firm CrowdSec also noted a shift in exploitation to "Background Noise" by June 1, 2026, indicating routine automated attacks by 412 distinct IP addresses.
Immediate Actions and Broader Security Implications
The exposed data can be leveraged by attackers to send emails on behalf of the compromised site, potentially for phishing or spam campaigns. Furthermore, the detailed system report provides a reconnaissance roadmap, significantly lowering the effort required for follow-on attacks.
"This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it," — Wordfence
Site administrators running Gravity SMTP versions 2.1.4 or older must update to version 2.1.5 immediately. Beyond patching, all API keys, secrets, and OAuth tokens configured within the plugin's email integrations should be considered compromised and rotated without delay. Reviewing server log files for suspicious requests to the vulnerable API endpoint is also highly recommended.
- Update promptly: Ensure Gravity SMTP is updated to version 2.1.5 or newer.
- Rotate credentials: All API keys, secrets, and OAuth tokens used with the plugin must be refreshed.
- Monitor logs: Scrutinize server logs for unauthorized access attempts to the
/wp-json/gravitysmtp/v1/tests/mock-dataendpoint.
What This Means
This incident underscores the critical importance of robust security practices for WordPress plugin development and website administration. Even seemingly minor information disclosure flaws can escalate into significant security breaches when combined with improper access controls. Developers must adhere to WordPress security guidelines, especially when implementing REST API endpoints, ensuring proper authentication and authorization checks are always in place. For site owners, this serves as a stark reminder that proactive patching and diligent credential management are non-negotiable. The exposure of API keys, which act as digital gatekeepers, can lead to unauthorized control over integrated services, causing reputational damage and further security incidents. Organizations should implement google.com/docs/authentication/api-keys#api_key_best_practices" target="_blank" rel="noopener noreferrer">API key best practices, including regular rotation, least privilege access, and secure storage, to mitigate such risks.
Key Points
- The Gravity SMTP WordPress plugin, installed on approximately 100,000 sites, contained a critical information disclosure vulnerability.
- CVE-2026-4020 allowed unauthenticated attackers to retrieve API keys and extensive system configuration data.
- The flaw stemmed from an unsecured REST API endpoint that unconditionally returned sensitive data when queried.
The Bottom Line
The active exploitation of the Gravity SMTP vulnerability highlights the ongoing threat posed by unpatched software and insecure API implementations. Website administrators must prioritize updating their plugins and immediately rotating any exposed API keys to prevent further compromise. Continuous vigilance and adherence to security best practices are essential to safeguard digital assets in an increasingly complex threat landscape.