Hackers Exploit Gravity SMTP WordPress Plugin Flaw to Steal Email Credentials
9 min. read 
Published on
Hackers are actively exploiting a Gravity SMTP WordPress plugin vulnerability that can expose sensitive site configuration data and email service credentials. The flaw is tracked as CVE-2026-4020 and affects Gravity SMTP versions up to and including 2.1.4, according to the Wordfence vulnerability record.
The issue is serious because attackers do not need a WordPress account to exploit it. A single unauthenticated request to a vulnerable REST API endpoint can return a large system report that may include API keys, OAuth tokens, SMTP secrets, plugin versions, server details, and database information.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Gravity SMTP version 2.1.5 fixes the issue. Site owners running older versions should update immediately, rotate email provider credentials, and review access logs for requests to the vulnerable endpoint.
What CVE-2026-4020 exposes
The vulnerability affects a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data. When the request includes the page=gravitysmtp-settings query parameter, vulnerable versions can return a full Gravity SMTP system report without checking whether the visitor has permission to view it.
The NVD entry for CVE-2026-4020 describes the issue as sensitive information exposure caused by a permission callback that returns true. That means the endpoint can be reached by unauthenticated visitors when the vulnerable code is present.
The data returned can help attackers in two ways. It can reveal email integration secrets that may allow abuse of legitimate sending services, and it can provide detailed reconnaissance for future attacks against the same WordPress site.
| Exposed data type | Why attackers want it |
|---|---|
| Email API keys and OAuth tokens | Can be abused to send email through trusted accounts |
| SMTP credentials | Can expose third-party mail services and sender identity |
| WordPress version and configuration | Helps attackers profile the site |
| Active plugin list and versions | Helps attackers find additional vulnerable components |
| PHP, database, and web server details | Improves attacker reconnaissance |
| Database table names | Can support follow-on exploitation planning |
Wordfence reports mass exploitation
Wordfence says its firewall has blocked more than 17 million exploit attempts targeting CVE-2026-4020. The company reported a major spike between June 7 and June 11, 2026, with several million blocked attempts per day.
The largest single-day spike came on June 7, when Wordfence said it blocked more than 4 million attempts. The volume suggests broad automated scanning rather than isolated manual exploitation.
The attack is easy to automate because the vulnerable endpoint can be queried with a simple GET request. Attackers can scan many sites quickly and collect exposed system reports from any installation that still runs Gravity SMTP 2.1.4 or earlier.
- Exploitation requires no WordPress login.
- The vulnerable endpoint is predictable and easy to scan.
- The response may include live email provider credentials.
- Compromise may leave no visible change on the site.
- Credential rotation is necessary after patching if secrets may have been exposed.
CrowdSec also saw in-the-wild attacks
CrowdSec said it began seeing in-the-wild exploitation on May 27, 2026. By June 1, it had observed 412 distinct attacking IP addresses targeting the vulnerability.
The company described the activity as background noise, meaning the exploit had moved beyond limited probing and into wider internet scanning. That matters because once a WordPress plugin bug reaches that stage, new IPs and bot infrastructure can join quickly.
Admins should not rely only on published IP lists. Known attacking addresses are useful for log review, but the endpoint path and request pattern provide stronger detection value than a static blocklist.
| Source | Observed activity |
|---|---|
| Wordfence | More than 17 million blocked exploit attempts |
| Wordfence | Largest reported spike on June 7, 2026 |
| CrowdSec | First observed exploitation on May 27, 2026 |
| CrowdSec | 412 distinct attacking IPs seen by June 1, 2026 |
| NVD | CVE record published March 30, 2026 |
Gravity SMTP 2.1.5 contains the fix
The vendor released Gravity SMTP 2.1.5 with security enhancements. The Gravity SMTP 2.1.5 release post recommends updating as soon as possible to receive the latest protections and improvements.
Wordfence says the vendor released the fully patched version on March 17, 2026, while public disclosure followed on March 30, 2026. That timeline means sites that delayed updates had a long exposure window before the June exploitation surge.
The safest remediation is to update to Gravity SMTP 2.1.5 or later. Sites that use managed WordPress hosting should still confirm the installed plugin version because automatic updates may not cover every environment or license setup.
Why email credentials raise the risk
Gravity SMTP is designed to improve WordPress email delivery by connecting sites to SMTP and API-based email services. The Gravity SMTP product page lists support for providers such as Amazon SES, Brevo, Google/Gmail, Mailgun, Mailjet, Microsoft 365/Outlook, Postmark, Resend, SendGrid, SparkPost, Zoho Mail, and others.
If attackers obtain keys or OAuth tokens for those services, they may be able to send email through the victim’s legitimate mail infrastructure. That can enable phishing, spam, business email compromise attempts, or abuse of a trusted domain’s sender reputation.
The exposed system report can also reveal which other plugins are active and what versions they run. That gives attackers a ready-made map for finding additional vulnerabilities on the same site.
What site owners should check
Site owners should first check the installed Gravity SMTP version. Any site running 2.1.4 or earlier should be treated as exposed until reviewed and patched.
After updating, administrators should search access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data. Requests that include page=gravitysmtp-settings deserve immediate attention because they match the known exploit path.
The Wordfence exploitation report says large JSON responses from that endpoint can indicate that the system report was retrieved. Since the issue is read-only, attackers may leave no new admin user, modified file, or obvious visible change.
- Update Gravity SMTP to version 2.1.5 or later.
- Review web server access logs for the vulnerable REST API endpoint.
- Look for requests containing page=gravitysmtp-settings.
- Rotate all email API keys, SMTP passwords, secrets, and OAuth tokens used by Gravity SMTP.
- Review mail provider logs for suspicious sending activity.
- Check whether exposed plugin versions reveal other urgent vulnerabilities.
Credential rotation should come after patching
Credential rotation should happen after the plugin update, not before it. Rotating secrets while the vulnerable endpoint remains exposed can simply leak the new credentials if attackers scan the site again.
The Gravity SMTP vulnerability entry warns that configured API keys and tokens may be exposed through the system report. Because logs may not prove whether an attacker actually viewed every secret, affected sites should assume credentials were at risk.
Organizations should also review email provider dashboards for unusual sending patterns, new API use, new regions, failed login attempts, and unexpected quota spikes. If the same credentials were reused elsewhere, those systems should be reviewed as well.
| Action | Priority | Reason |
|---|---|---|
| Update Gravity SMTP | Critical | Closes the exposed REST API behavior |
| Rotate email credentials | Critical | Old secrets may already have been harvested |
| Review access logs | High | Identifies likely exploitation attempts |
| Check mail provider logs | High | Finds abuse of stolen sending credentials |
| Restrict endpoint access | Medium | Adds temporary defense while patching is verified |
| Audit other plugins | Medium | Exposed plugin versions may support follow-on attacks |
Why detection can be difficult
CVE-2026-4020 exposes data rather than directly changing files or creating users. That means a site may look normal even after attackers successfully retrieved sensitive configuration data.
The best evidence is likely in access logs, firewall logs, reverse proxy logs, or CDN logs. Site owners should preserve these records before log rotation removes them.
The CVE-2026-4020 record assigns the issue to CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. That classification matches the real-world risk: attackers may not need to break the site to steal information that helps them abuse it later.
Temporary hardening steps
Administrators can add a web application firewall rule to block unauthenticated requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially when the page=gravitysmtp-settings parameter is present. This should support patching, not replace it.
Sites can also restrict WordPress REST API access by path where business operations allow it. However, broad REST API blocking can break legitimate WordPress, plugin, or theme features, so changes should be tested before deployment.
The CrowdSec report shows why temporary blocks need regular updates. Attack sources can shift quickly once an exploit becomes part of automated scanning traffic.
- Block unauthenticated requests to the vulnerable endpoint at the WAF or web server layer.
- Use rate limits for suspicious REST API paths.
- Review CDN and reverse proxy logs for matching requests.
- Disable unused email integrations and delete old credentials.
- Use least-privilege API keys where providers support scoped access.
- Keep a written record of rotated keys and affected services.
What this means for WordPress security
The Gravity SMTP case shows why WordPress plugin security often depends on more than patching the core CMS. Plugins that store email credentials, API keys, payment tokens, CRM credentials, or cloud secrets can become high-value targets even when the main site appears unchanged.
It also shows why system reports and debugging endpoints need strict access checks. A troubleshooting feature that helps administrators can become a reconnaissance feed if it returns sensitive data to unauthenticated users.
The 2.1.5 security release and the vendor’s Gravity SMTP documentation make the next step clear for site owners: update the plugin, verify the installed version, rotate secrets, and monitor for misuse of exposed email services.
FAQ
CVE-2026-4020 is a sensitive information exposure vulnerability in the Gravity SMTP WordPress plugin. It affects versions up to and including 2.1.4 and can allow unauthenticated visitors to retrieve a system report through a REST API endpoint.
Gravity SMTP versions up to and including 2.1.4 are vulnerable. Site owners should update to Gravity SMTP 2.1.5 or later.
Attackers may access a system report that includes WordPress configuration details, active plugins and versions, server information, database details, and any API keys, OAuth tokens, or SMTP secrets configured in Gravity SMTP.
Review web server, CDN, WAF, and reverse proxy logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially requests that include page=gravitysmtp-settings. Large JSON responses from that endpoint may indicate successful data exposure.
After updating, site owners should rotate all email API keys, SMTP passwords, OAuth tokens, and other secrets used by Gravity SMTP. They should also review mail provider logs for suspicious sending activity and keep monitoring for REST API exploit attempts.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages