# Threat Actors Exploiting Critical Information Disclosure Flaw in Gravity SMTP WordPress Plugin Threat actors are actively exploiting a recently patched security flaw affecting **Gravity SMTP**, a **WordPress** plugin installed on approximately 100,000 sites.  ## The Vulnerability: CVE-2026-4020 The vulnerability, tracked as **CVE-2026-4020** (CVSS score: 5.3), is a medium-severity information disclosure flaw. It enables unauthenticated attackers to extract sensitive data, including configuration data, API keys, secrets, and **OAuth** tokens configured for the plugin's email integrations. According to **Wordfence**, the issue stems from a **REST API** endpoint registered at `/wp-json/gravitysmtp/v1/tests/mock-data`. This endpoint has a `permission_callback` that unconditionally returns true, granting access to any unauthenticated visitor. When the `?page=gravitysmtp-settings` query parameter is appended, the plugin's `register_connector_data()` method populates internal connector data. This causes the endpoint to return approximately 365 KB of **JSON** containing a full System Report. ## Exposed Data and Potential Impact An unauthenticated attacker can weaponize this issue to retrieve a wide range of information, including: * **PHP** version and loaded extensions * Web server version and document root path * Database server type and version * **WordPress** version * All active plugins with their versions * Active theme details * **WordPress** configuration details * Database table names * API keys/tokens configured in the plugin, such as for **Amazon SES**, **Google**, **Mailjet**, **Resend**, and **Zoho** Attackers could leverage this exposure to harvest credentials, which could then be abused to send email on behalf of the site. Furthermore, the extensive details of the site's software stack could serve as a foundation for more sophisticated follow-on attacks. "As with all sensitive information exposure vulnerabilities, the impact depends on what data is exposed," **Wordfence** emphasized. "In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site." ## Active Exploitation and Mitigation A patch for **CVE-2026-4020** has been released in version 2.1.5 of the plugin. However, bad actors have already begun exploiting the defect. They are sending unauthenticated **HTTP GET** requests to the vulnerable **REST API** endpoint with the `"?page=gravitysmtp-settings"` query parameter, causing the server to return valuable site information without requiring authentication. **Wordfence** has reported blocking over 17 million exploit attempts targeting **CVE-2026-4020** to date. Initial activity began in early May 2026 and dramatically spiked around June 6, 2026, reaching over 4,000,000 requests the following day. Exploit efforts have originated from the following IP addresses: * 45.148.10.95 * 193.32.162.60 * 176.65.148.139 * 173.199.90.188 * 45.148.10.120 * 185.8.107.155 * 185.8.106.37 * 185.8.106.92 * 185.8.106.145 * 176.65.148.30 ## Recommendations for Site Owners Site owners running a vulnerable version of the **Gravity SMTP** plugin, especially those with configured third-party email integrations, should assume compromise. It is crucial to rotate all relevant credentials immediately after updating the plugin to the latest version (2.1.5 or higher). Additionally, it is strongly advised to review server log files for any suspicious requests to the **API** endpoint originating from the aforementioned IP addresses.