Active Exploitation of Gravity SMTP Plugin Flaw (CVE-2026-4020) Exposes Sensitive Data on 100,000 WordPress Sites
Hackers Actively Exploit Gravity SMTP Flaw (CVE-2026-4020) to Steal API Keys from 100K WordPress Sites
Impact Scope
People Affected
Up to 100,000 websites
Industries Affected
Related Entities
Products & Tech
Other
CVE Identifiers
Full Report
Executive Summary
A medium-severity information disclosure vulnerability in the Gravity SMTP plugin for WordPress, tracked as CVE-2026-4020, is under active and widespread exploitation. The flaw, affecting an estimated 100,000 websites, allows an unauthenticated attacker to retrieve a detailed system report containing sensitive credentials and configuration data. The vulnerability stems from an insecure REST API endpoint that fails to perform any authentication or authorization checks. Attackers are using this flaw to steal API keys and OAuth tokens for third-party email services. Security firm Defiant has reported blocking millions of exploit attempts, confirming that attackers are using automated scanners to find and compromise vulnerable sites. Users are urged to update to the patched version (2.1.5) immediately and rotate any credentials managed by the plugin.
Vulnerability Details
CVE-2026-4020 is an unauthenticated information disclosure vulnerability with a CVSS score of 5.3.
- Attack Vector: The vulnerability is exploited by sending a simple HTTP GET request to a specific REST API endpoint exposed by the plugin.
- Root Cause: The endpoint, located at
/wp-json/gravitysmtp/v1/tests/mock-data, was configured with a permission callback that always returnedtrue. This means that any request, regardless of authentication status, was granted access. - Mechanism: An unauthenticated attacker can make a request to
https://<vulnerable-site>/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings. The plugin responds with a large JSON file containing the site's full system report. This report was likely intended for debugging purposes but was left publicly exposed.
Affected Systems
- Gravity SMTP plugin for WordPress, versions 2.1.4 and below.
- The vulnerability was patched in version 2.1.5, released on March 17, 2026.
- An estimated 100,000 websites have the plugin installed.
Exploitation Status
The vulnerability is being actively and widely exploited. WordPress security firm Defiant, makers of the Wordfence firewall, reported blocking over 17 million exploitation attempts targeting this flaw. This indicates that threat actors have integrated the exploit into automated scanning tools and are indiscriminately targeting any site running a vulnerable version of the plugin.
Impact Assessment
A successful exploit of this vulnerability provides an attacker with a wealth of sensitive information that can be used for further attacks:
- Credential Theft: The most critical impact is the exposure of API keys, secrets, and OAuth tokens for email services (e.g., SendGrid, Mailgun) configured in the plugin. Attackers can use these credentials to send spam or phishing emails from the compromised domain, abusing its reputation (T1586.002 - Email Accounts).
- Reconnaissance: The system report contains detailed information about the target environment, including the server's operating system, PHP version, database version, and a full list of all other active plugins and their versions. This information is a goldmine for an attacker, allowing them to identify other potential vulnerabilities to exploit for a more severe compromise (T1592 - Gather Victim Host Information).
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
url_pattern/wp-json/gravitysmtp/v1/tests/mock-dataurl_pattern?page=gravitysmtp-settingslog_sourceWeb Server Access Logsresponse_size~365 KBDetection Methods
- WAF/Firewall Logs: The easiest way to detect exploitation attempts is to search your Web Application Firewall (WAF) or web server access logs for GET requests to the
/wp-json/gravitysmtp/v1/tests/mock-dataendpoint. Any such request should be treated as an indicator of targeting. - Vulnerability Scanning: Use a WordPress-aware vulnerability scanner to check if your site is running a vulnerable version of the Gravity SMTP plugin.
Remediation Steps
- Update Immediately: The most critical step is to update the Gravity SMTP plugin to version 2.1.5 or later. This action, a form of M1051 - Update Software, completely removes the vulnerability.
- Assume Compromise and Rotate Credentials: If you were running a vulnerable version, you must assume that all credentials stored within the plugin have been compromised. Immediately log into your third-party email service providers (e.g., SendGrid, Postmark, Mailgun) and rotate/regenerate all API keys and OAuth tokens. Update the Gravity SMTP plugin with the new credentials.
- Review Logs: While not strictly necessary if credentials have been rotated, you can review the logs of your email service provider for any unusual sending activity since the plugin was installed.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
Updating the plugin to the patched version is the primary and most effective remediation.
Mapped D3FEND Techniques:
Regularly audit installed plugins and their versions to ensure they are up-to-date and necessary.
Restrict Web-Based Content
Use a WAF to create a custom rule to block requests to the vulnerable API endpoint as a virtual patch.
Mapped D3FEND Techniques:
D3FEND Defensive Countermeasures
The definitive remediation for CVE-2026-4020 is to perform a software update. WordPress administrators must immediately navigate to their site's dashboard, go to the 'Plugins' section, and update the Gravity SMTP plugin to version 2.1.5 or higher. This action directly replaces the vulnerable code with the patched version, completely eliminating the insecure REST API endpoint. Given the active and widespread exploitation, this should be treated as an emergency change. Enabling automatic updates for plugins can help prevent such issues in the future, although it carries its own supply-chain risks. After updating, it is crucial to proceed with credential rotation as a follow-up step.
After updating the Gravity SMTP plugin, it is imperative to assume that all credentials managed by it have been compromised. This requires invalidating the old credentials. Log in to the dashboard of every third-party email service configured in the plugin (e.g., SendGrid, Mailgun, Postmark). Navigate to the API key or credentials section and revoke/delete the existing API key used by your WordPress site. Generate a new key and update the settings in the now-patched Gravity SMTP plugin with this new key. This action of invalidating the old 'authentication cache' (the stolen API key) ensures that even though attackers have the old key, it is now useless and cannot be used to abuse your email sending service.
As a defense-in-depth or virtual patching measure, use a Web Application Firewall (WAF) to block all inbound requests to the vulnerable endpoint. Create a custom rule that specifically blocks any HTTP GET requests where the URL path is /wp-json/gravitysmtp/v1/tests/mock-data. This provides an immediate layer of protection even before the plugin can be patched, and it will continue to protect against scanning traffic after the patch is applied. This filtering rule is highly specific and should have no impact on legitimate site functionality. It directly targets the exploit path used by attackers and is a recommended practice for any publicly disclosed vulnerability with a clear, static exploit pattern.
Timeline of Events
Gravity SMTP version 2.1.5 is released, patching the vulnerability.
Reports emerge of widespread, active exploitation of CVE-2026-4020.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.