Threat actors are actively exploiting a recently patched security flaw in Gravity SMTP, a WordPress plugin with approximately 100,000 active installations.
The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that allows unauthenticated attackers to extract sensitive data, including configuration details, API keys, secrets, and OAuth tokens configured for the plugin's email integrations. According to Wordfence, the issue stems from a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, granting access to any unauthenticated visitor. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report.
An unauthenticated attacker can exploit this issue to retrieve a wide range of information, including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and API keys or tokens configured in the plugin (e.g., Amazon SES, Google, Mailjet, Resend, Zoho).
Attackers could then leverage this exposure to harvest credentials, enabling them to send emails on behalf of the site, and gain extensive details of the site's software stack, facilitating follow-on attacks. As Wordfence notes, "as with all sensitive information exposure vulnerabilities, the impact depends on what data is exposed. In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks."
A patch for the vulnerability has been released in version 2.1.5 of the plugin. Bad actors have already pounced on the defect by sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the ?page=gravitysmtp-settings query parameter, causing the server to return valuable site information without requiring authentication.
Wordfence has blocked over 17 million exploit attempts targeting CVE-2026-4020 to date, with initial activity starting in early May 2026 and spiking dramatically around June 6, 2026, peaking at over 4,000,000 requests the following day. The exploit attempts have originated from IP addresses including 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30.
Site owners running a vulnerable version of Gravity SMTP with third-party email integrations should assume compromise, rotate credentials after updating the plugin to the latest version, and review server logs for suspicious requests from the mentioned IP addresses.
