A medium-severity information disclosure vulnerability in the Gravity SMTP WordPress plugin has become the subject of massive opportunistic exploitation, with Wordfence reporting more than 17 million blocked attack attempts since active exploitation began in late May 2026. The flaw, tracked as CVE-2026-4020 (CVSS 5.3), allows any unauthenticated visitor to extract full API credentials from affected sites with a single HTTP GET request.
The Vulnerability: Authentication Entirely Bypassed
Gravity SMTP registers a REST API endpoint at:
GET /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings
The critical mistake: the endpoint's permission_callback function unconditionally returns true, entirely skipping WordPress's built-in authentication and capability checks. When accessed with the ?page=gravitysmtp-settings query parameter, the plugin's register_connector_data() method returns a ~365 KB JSON system report containing everything needed to impersonate the site's email infrastructure.
What Gets Exposed
The leaked JSON includes:
- API keys and OAuth tokens for configured third-party email services: Amazon SES, Google Workspace, Mailjet, Resend, and Zoho Mail
- WordPress configuration details, including site URL, admin email, and active plugin list
- Server and PHP environment information
- Database configuration data
With these credentials, an attacker can send email as the victim domain (bypassing DMARC controls configured in the provider, not in WordPress), enumerate company email infrastructure, pivot to other services sharing the same credentials, and cause significant billing impact on paid email providers like Amazon SES.
Disclosure and Exploitation Timeline
The vendor patched CVE-2026-4020 in Gravity SMTP version 2.1.5, released March 17, 2026. Public disclosure followed on March 30, 2026 — a 13-day gap that left the vast majority of site operators unaware a critical patch was available.
Opportunistic mass-scanning began around May 27, 2026 and escalated sharply:
- June 6, 2026: Peak exploitation traffic exceeding 4 million malicious requests per day
- Total requests: 17+ million blocked by Wordfence alone
- Attacking IPs: 412+ distinct source IPs identified by CrowdSec, primarily located in France, the Netherlands, and the United States — consistent with cloud hosting infrastructure used for distributed credential harvesting
Scope and Affected Sites
Gravity SMTP has approximately 100,000 active WordPress installations. Any site running a version prior to 2.1.5 that had not yet applied the patch should be considered fully compromised — the attack is unauthenticated, leaves no obvious traces in application logs, and requires no special tooling beyond a standard HTTP client.
Immediate Remediation Steps
Update immediately: Upgrade to Gravity SMTP 2.1.5 or later via the WordPress admin dashboard or WP-CLI.
Rotate all exposed credentials: Treat any site running a vulnerable version as compromised. Revoke and regenerate API keys for:
- Amazon SES (IAM credentials)
- Google Workspace SMTP credentials / OAuth app
- Mailjet API key and Secret key
- Resend API key
- Zoho Mail credentials
Block the endpoint via WAF: If immediate patching is not possible, block unauthenticated access to /wp-json/gravitysmtp/ at the web server or WAF layer as a temporary mitigation.
Audit email logs: Review your email provider's sending logs for messages you did not originate — credential exposure may have already resulted in abuse.
Monitor for indicators: CrowdSec's shared blocklist includes the 412+ attacking IPs observed in this campaign — subscribe to the community blocklist or import the IOCs into your WAF rules.