Attackers are actively exploiting CVE-2026-4020, a Gravity SMTP vulnerability that can expose sensitive WordPress configuration data without authentication. The plugin is used to connect WordPress sites to external email providers, which makes this more than a routine information disclosure issue: exposed data can include API keys, secrets, OAuth tokens, plugin inventories, database details, and server information.
The bug affects Gravity SMTP versions up to and including 2.1.4 and is fixed in 2.1.5. Wordfence says it has blocked more than 17 million exploit attempts, with exploitation beginning in May and spiking sharply in early June. That scale changes the response. Site owners should assume internet-facing vulnerable installs may already have been queried.
Why this matters now
Gravity SMTP sits in a quiet but privileged part of many WordPress environments. It helps route transactional email through providers such as Amazon SES, Google, Mailjet, Resend, and Zoho. Those integrations often require secrets that allow mail to be sent on behalf of a domain or application.
CVE-2026-4020 is not remote code execution by itself, but it can hand attackers exactly what they need for follow-on activity: credentials, environment detail, software versions, and a clean inventory of other plugins to probe next. In practical terms, the flaw can turn an exposed WordPress site into a reconnaissance bundle.
That is why the right response is not only "update the plugin." It is update, rotate, and investigate.
What the vulnerability exposes
According to Wordfence, the issue comes from a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission callback that allows unauthenticated access. When queried with the page=gravitysmtp-settings parameter, the plugin can return a large JSON system report.
That report may include:
- PHP version and loaded extensions
- web server version and document root path
- WordPress version, active theme, and active plugins
- database type, version, and table names
- WordPress configuration details
- API keys, secrets, and OAuth tokens configured for Gravity SMTP integrations
This is classic access control failure territory. The vulnerable endpoint is meant to support plugin behavior, but the authorization boundary around it was weak enough that unauthenticated visitors could request sensitive output.
Active exploitation is broad, not theoretical
Wordfence reports more than 17 million blocked exploit attempts targeting CVE-2026-4020, with a peak above 4 million requests in one day around June 7. CrowdSec separately observed exploitation moving into broad background internet scanning, with hundreds of distinct attacking IPs seen by early June.
That telemetry matters because it suggests the bug has moved from security-research awareness into commodity automation. Attackers do not need to know a specific business uses Gravity SMTP. They can scan WordPress sites, query the endpoint, and sort useful responses later.
For defenders, this means exposure windows matter. If a site ran Gravity SMTP 2.1.4 or earlier while reachable from the internet, the investigation should include logs from May onward, not just activity after the latest headlines.
The operational risk is credential reuse
The most damaging outcome is not the system report itself. It is what attackers do after reading it.
Exposed email-provider tokens can enable spam, phishing, account abuse, reputation damage, or business email disruption. Plugin and version inventories can also guide additional exploitation against the same WordPress site. Database names, paths, and configuration details shorten the attacker’s discovery phase.
If an email integration token was exposed, rotating only the WordPress admin password is not enough. The external provider credential must be revoked and replaced, and any suspicious sending activity should be reviewed at the provider side.
Immediate actions for WordPress owners
1. Update Gravity SMTP now
Upgrade Gravity SMTP to 2.1.5 or later. Versions up to and including 2.1.4 are affected.
2. Rotate exposed integration secrets
If the vulnerable plugin was configured with Amazon SES, Google, Mailjet, Resend, Zoho, or other mail-provider credentials, rotate those keys and OAuth tokens after patching. Treat old secrets as exposed.
3. Review access logs for the vulnerable endpoint
Search web server, WAF, CDN, and application logs for requests to:
/wp-json/gravitysmtp/v1/tests/mock-data
Pay special attention to requests that include:
page=gravitysmtp-settings
If those requests succeeded before patching, treat the site as a potential incident response case, not just a maintenance ticket.
4. Check for follow-on activity
Review for unusual mail-provider usage, new WordPress admin users, unfamiliar plugin changes, suspicious file modifications, and authentication attempts that followed endpoint access.
5. Reduce plugin exposure
Remove unused plugins, keep WordPress and plugins updated, and place internet-facing WordPress sites behind controls that can detect abnormal REST API probing. A firewall or WAF rule can reduce exposure while patching catches up, but it should not replace the update.
Strategic takeaway
CVE-2026-4020 is a reminder that "medium severity" can still create high operational risk when secrets are involved. A bug that leaks tokens, configuration, and plugin inventories can be more useful to attackers than its CVSS score suggests.
For teams running WordPress at scale, the practical lesson is simple: treat email and integration plugins as credential-bearing systems. Patch them quickly, monitor their REST API exposure, and rotate third-party tokens whenever a vulnerable endpoint may have leaked configuration data.
What is CVE-2026-4020?
CVE-2026-4020 is an unauthenticated sensitive information exposure vulnerability in the Gravity SMTP WordPress plugin. It affects versions up to and including 2.1.4.
Is this remote code execution?
No. Public reporting describes it as information disclosure. The risk is that attackers can retrieve system details and secrets that support follow-on compromise.
What version fixes the issue?
Gravity SMTP version 2.1.5 fixes the vulnerability.
Should teams rotate credentials after updating?
Yes. If a vulnerable site had email-provider API keys, secrets, or OAuth tokens configured in Gravity SMTP, those credentials should be rotated after the plugin is updated.
