Threat actors are actively exploiting a serious security vulnerability in the popular Gravity SMTP WordPress plugin, potentially exposing sensitive API keys, OAuth tokens, and email service credentials from more than 100,000 websites worldwide. The vulnerability, tracked as CVE-2026-4020, affects Gravity SMTP versions 2.1.4 and earlier.
According to security researchers, the flaw stems from an improperly secured REST API endpoint that can be accessed without authentication. Attackers can query the endpoint and retrieve a detailed system report containing sensitive information such as API keys, authentication tokens, WordPress configuration data, installed plugins, server details, and database information.
The exposed credentials may include integrations with major email providers such as Amazon Web Services, Google, Mailjet, Resend, and Zoho. If stolen, these credentials could be abused to send spam, launch phishing campaigns, or gain deeper access to affected organizations’ infrastructure.
Security firm Wordfence reported blocking more than 17 million exploitation attempts, including a surge of over 4 million attacks in a single day during early June. Researchers from CrowdSec also observed at least 412 distinct IP addresses attempting to exploit the vulnerability, indicating widespread automated scanning and attack activity.
The vulnerable endpoint, /wp-json/gravitysmtp/v1/tests/mock-data, mistakenly grants access to any visitor because its permission check always returns true. By appending a specific parameter, attackers can force the plugin to generate and expose a large JSON system report containing sensitive configuration data.
The plugin developer, RocketGenius, released Gravity SMTP 2.1.5 to fix the issue. Security experts strongly recommend that website administrators immediately update to the latest version, review server logs for suspicious requests, and rotate any API keys, OAuth tokens, or SMTP credentials that may have been exposed.
Key Facts
- Vulnerability: CVE-2026-4020
- Affected Plugin: Gravity SMTP for WordPress
- Affected Versions: 2.1.4 and earlier
- Risk: Exposure of API keys, OAuth tokens, SMTP credentials, and system information
- Active Installations: Over 100,000 sites
- Patch Available: Version 2.1.5
- Observed Exploitation: More than 17 million blocked attack attempts reported by Wordfence
The incident highlights the growing trend of attackers targeting WordPress plugins to harvest credentials and gain access to trusted services, making rapid patching and credential rotation essential for affected website owners.
