Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin
Over 17 million exploit attempts have been blocked targeting CVE-2026-4020, a sensitive information exposure flaw in the Gravity SMTP WordPress plugin that leaks API keys and OAuth tokens.
Attackers are actively exploiting a sensitive information exposure vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020, with Wordfence reporting over 17 million blocked exploit attempts since the flaw was disclosed. The vulnerability affects all versions up to and including 2.1.4 of the plugin, which has an estimated 100,000 active installations. A fully patched version, 2.1.5, was released by the vendor on March 17, 2026, but many sites remain unpatched, leaving them exposed to ongoing attacks.
The root cause lies in a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This report includes PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and critically, any API keys, secrets, and OAuth tokens configured for the plugin's email integrations.
The exposed credentials include those for services such as Amazon SES, Google, Mailjet, Resend, and Zoho, which could allow attackers to send email on behalf of the compromised site. Additionally, the detailed system reconnaissance data lowers the barrier for attackers to identify and exploit other vulnerabilities on the same site. The vulnerability was discovered by researcher Osvaldo Noe Gonzalez Del Rio (Os) and carries a CVSS score of 5.3 (Medium), though the active exploitation and credential exposure elevate its real-world risk.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against exploits targeting this vulnerability on May 5, 2026. Sites using the free version of Wordfence received the same protection 30 days later on June 4, 2026. Notably, the firewall rule was not added as part of the standard vulnerability disclosure process because the initial severity assessment was under the threshold for creating a rule. However, after receiving reports of active exploitation, Wordfence implemented the rule immediately.
Wordfence urges all users to update to Gravity SMTP version 2.1.5 as soon as possible. The plugin is a popular choice for WordPress sites that need reliable SMTP email delivery, and the exposure of API keys and OAuth tokens could lead to further compromise of email services and associated accounts. This incident underscores the importance of promptly applying security patches, even for vulnerabilities initially rated as medium severity, as attackers may still weaponize them at scale.