The recent exploitation of a critical Gravity SMTP vulnerability, an information disclosure bug (CVE-2026-4020) in the Gravity SMTP plugin, demonstrates how quickly a simple coding error can escalate into a widespread credential harvesting operation.
The Gravity SMTP Vulnerability: Why a "Silent Patch" Led to Mass Exploitation
This medium-severity flaw (CVSS 5.3) allowed unauthenticated attackers to extract sensitive API keys, secrets, and detailed system information from approximately 100,000 WordPress sites. Wordfence data, showing over 17 million blocked exploit attempts since early May, confirms the aggressive nature of these attacks. The tangible impact is evident in real-world incidents, leading to account lockouts and service abuse. This Gravity SMTP vulnerability led to widespread credential harvesting.
The Technical Flaw: An Unsecured REST API Endpoint
The problem originates in Gravity SMTP versions up to 2.1.4. The plugin incorporates a REST API endpoint: /wp-json/gravitysmtp/v1/tests/mock-data. While such endpoints typically include a permission_callback function for authorization checks, this particular function unconditionally returned true. This effectively meant any unauthenticated user could access the endpoint, leading to the Gravity SMTP vulnerability.
The attack chain is straightforward: An attacker sends an unauthenticated HTTP GET request to /wp-json/gravitysmtp/v1/tests/mock-data, appending the query parameter ?page=gravitysmtp-settings. This parameter triggers the register_connector_data() method within the plugin, which then populates an internal data structure with all configured email connector details. With the permission_callback bypassed, the endpoint outputs a JSON system report.
The report contained highly sensitive information, far beyond benign diagnostic data.
The Data Leak: Critical Credentials Exposed
The exposed JSON system report includes a substantial volume of sensitive data, specifically: API keys, secrets, and OAuth tokens for configured email integrations such as Amazon SES, Google, Mailjet, Resend, and Zoho. These are the credentials enabling your WordPress site to send emails via third-party services. Additionally, it exposes WordPress configuration details (version, active plugins with their versions, active theme), server environment specifics (PHP version, loaded extensions, web server version, document root path, database server type and version), and database table names. This Gravity SMTP vulnerability exposed critical credentials.
The practical implications are direct and serious. Attackers gain a complete blueprint of your site's software stack without needing to guess. Significantly, they acquire access to your email services. This enables them to:
- Send email on your behalf: An attacker could use your Amazon SES or Mailjet account to launch phishing campaigns, spam, or business email compromise (BEC) attacks, all originating from a trusted domain. Such incidents often result in significant reputational and financial damage.
- Further reconnaissance: The detailed system report reduces the effort required for subsequent attacks. Knowing precise WordPress, PHP, and web server versions allows attackers to target known vulnerabilities in those specific components efficiently.
Exploitation began in early May 2026, with a notable spike around June 6th. Wordfence recorded over 4 million requests daily at its peak. This constituted a mass sweep, likely executed by automated bots originating from various IP clusters. This widespread, opportunistic credential harvesting presents a persistent operational security challenge.
Immediate Actions: Patch, Rotate, and Advocate for Transparency
A patch, version 2.1.5, was released on March 17, 2026, with CVE-2026-4020 published on March 31, 2026. This update successfully closes the vulnerable endpoint.
Patching alone is insufficient; site owners running Gravity SMTP should take further immediate action. Updating to version 2.1.5 or later is essential to close the Gravity SMTP vulnerability. However, if your site ran a vulnerable version with third-party email integrations, it is prudent to operate under the assumption that your credentials have been harvested. A critical follow-up is to rotate all API keys, secrets, and OAuth tokens for every configured email service (Amazon SES, Google, Mailjet, Resend, Zoho, etc.), as updating the plugin does not revoke already stolen credentials.
Finally, examine your web server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data that include ?page=gravitysmtp-settings, specifically looking for requests from known attacker IP addresses such as 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, 176.65.148.30 to confirm targeting and timing.
This incident also underscores a persistent issue within the WordPress ecosystem: the communication surrounding critical Gravity SMTP vulnerabilities. Some users reportedly believe a paid plugin like Gravity SMTP should have proactively notified its customers about a flaw of this scope. Direct email notification becomes imperative when unauthenticated attackers are actively scraping credentials from thousands of sites, even if releasing a patch and CVE is standard practice. Relying solely on users to check changelogs or security advisories for a "medium-severity" bug with such high practical impact is inadequate.
Such widespread, automated threats demand timely intervention.
Ultimately, this case illustrates that even seemingly minor information disclosure bugs can lead to significant security incidents when combined with weak access controls. The Gravity SMTP vulnerability serves as a stark reminder. Vendors must enhance their transparency practices, and site owners need to maintain vigilance regarding patching and, crucially, post-patch remediation like credential rotation. The full scope of security responsibility encompasses more than just applying an update.
