A critical security vulnerability in the widely used Gravity SMTP WordPress plugin has become a prime target for threat actors, exposing sensitive API keys and system data from an estimated 100,000 websites. The flaw, identified as CVE-2026-4020, allows unauthenticated attackers to extract a treasure trove of information, paving the way for potential site compromise and email abuse.
The Unsecured Gateway: How Attackers Access Your Data
The vulnerability, rated with a CVSS score of 5.3 (medium severity), stems from an information disclosure flaw within the Gravity SMTP plugin. Specifically, a REST API endpoint located at /wp-json/gravitysmtp/v1/tests/mock-data was registered with a permission_callback that, alarmingly, always returned true. This oversight meant that any visitor, regardless of authentication status, could access it.
Wordfence researchers detailed that by simply appending the ?page=gravitysmtp-settings query parameter to this endpoint, the plugin’s register_connector_data() method would populate internal connector data. The result? A hefty 365 KB JSON file containing a comprehensive “System Report” was returned, completely unauthenticated.
What Information is Exposed?
The exposed System Report is a goldmine for attackers, revealing a vast array of critical details:
- PHP version and loaded extensions
- Web server version and document root path
- Database server type and version
- WordPress version, active plugins (with versions), and active theme
- WordPress configuration specifics and database table names
Crucially, API keys and tokens configured for third-party email integrations, including services like Amazon SES, Google, Mailjet, Resend, and Zoho.
This level of detail not only provides a blueprint of the site’s software stack, facilitating future targeted attacks, but the exposed API credentials also enable attackers to send emails on behalf of the compromised site, potentially for spam, phishing, or other malicious campaigns.
The Attack Wave: Millions of Exploitation Attempts
The vulnerability has not gone unnoticed by malicious actors. Wordfence reports blocking over 17 million exploit attempts targeting CVE-2026-4020 to date. Initial activity was observed in early May 2026, escalating dramatically around June 6, 2026, reaching a peak of over 4 million requests in a single day.
These attacks involve unauthenticated HTTP GET requests directed at the vulnerable REST API endpoint, specifically utilizing the ?page=gravitysmtp-settings query parameter to trigger the data disclosure.
Exploitation efforts have been traced to a number of IP addresses, including: 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30.
Urgent Action Required: Patch and Protect
A patch for CVE-2026-4020 was released in version 2.1.5 of the Gravity SMTP plugin. All site owners using this plugin, especially those with third-party email integrations configured, are strongly advised to:
- Update Immediately: Upgrade the Gravity SMTP plugin to version 2.1.5 or later without delay.
- Assume Compromise: Given the active exploitation, assume that your site’s credentials may have been exposed.
- Rotate Credentials: Promptly rotate all API keys, secrets, and OAuth tokens associated with any third-party email services configured within the plugin (e.g., Amazon SES, Google, Mailjet, Resend, Zoho).
- Review Logs: Scrutinize server log files for any suspicious requests originating from the aforementioned IP addresses targeting the API endpoint.
Proactive security measures are paramount to safeguard your website and user data from the ongoing threat landscape.
For more details, visit our website.
Source: Link
Leave a comment