Gravity SMTP Plugin CVE-2026-4020 Actively Exploited, Exposing API Keys

CVE-2026-4020, an unauthenticated sensitive information exposure vulnerability in the Gravity SMTP WordPress plugin, is under active exploitation, allowing attackers to harvest critical data like live API keys from what Wordfence estimates are 100,000 WordPress sites. This flaw enables credential compromise and supply chain abuse for connected email services, potentially leading to phishing campaigns or infrastructure access. CISA added CVE-2026-4020 to its Known Exploited Vulnerabilities (KEV) catalog on June 18, 2026, confirming its critical nature and the urgent need for immediate remediation. The plugin's REST API endpoint's architectural oversight allowed low-effort data exfiltration, bypassing basic security checks.

What Happened

The Gravity SMTP WordPress plugin, affecting all versions up to and including 2.1.4, contains a critical sensitive information exposure vulnerability, CVE-2026-4020. The vendor released patch version 2.1.5 on March 17, 2026, but the problem became widely known after Wordfence publicly disclosed the flaw on March 30, 2026. Active exploitation began in early May 2026, approximately 51 days after the patch was available.

The root cause is a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data that featured a permission_callback function which unconditionally returned true. This effectively removed any authentication or authorization checks. Attackers discovered that appending ?page=gravitysmtp-settings to this vulnerable endpoint would trigger the register_connector_data() method. This action caused the endpoint to return a comprehensive 365 KB JSON System Report, packed with sensitive data.

On May 5, 2026, Wordfence deployed firewall rules for its premium users, attempting to block the emerging attacks. Between May 27 and June 1, 2026, CrowdSec observed 412 distinct attacking IPs targeting this vulnerability, indicating a broad scanning and exploitation effort. Wordfence extended its firewall rules to free users on June 4, 2026, but exploitation activity significantly escalated. By June 7, 2026, Wordfence reported blocking over 4 million requests in a single day, highlighting the intensity of automated attacks. The vulnerability was added to CISA's KEV catalog on June 18, 2026, mandating federal agencies to remediate by June 21, 2026. Globally, Wordfence states it blocked over 17 million exploit attempts.

Why It Matters

This is a direct, unauthenticated pipeline to high-value data, not a theoretical risk. Attackers can extract configuration data, secrets, OAuth tokens, and critically, live API keys for services like Amazon SES, Google, Mailjet, Resend, and Zoho. Access to these keys grants immediate control over connected email services, enabling malicious spam campaigns, sophisticated phishing attacks, or even unauthorized access to broader cloud infrastructure.

The exposed System Report provides a treasure trove of reconnaissance data. Attackers gain insights into the target's environment, including PHP version, web server specifics, database server type and version, WordPress version, and a list of active plugins and themes with their versions. This detailed information allows for highly targeted follow-on attacks, leveraging known vulnerabilities in other installed components or crafting precise social engineering campaigns.

While the CVSS score varies between 5.3 (medium severity per Wordfence) and 7.5 (high severity per Mallory), the unauthenticated nature and the direct exposure of live credentials make this a critical threat, regardless of the numerical rating. CISA's inclusion of CVE-2026-4020 in its KEV catalog confirms its severe real-world impact and active exploitation. The potential for immediate abuse of compromised email services poses a significant operational and reputational risk to affected organizations.

Affected Scope & Remediation

The Gravity SMTP WordPress plugin, in all versions up to and including 2.1.4, is vulnerable to CVE-2026-4020. Wordfence estimates this affects 100,000 WordPress sites globally. Any site running an unpatched version is actively exposed to unauthenticated data exfiltration.

Remediation is straightforward but critical: site owners running vulnerable versions must update to Gravity SMTP 2.1.5 or later immediately. The patch was released on March 17, 2026, providing ample time for proactive updates before mass exploitation began. Given the confirmed active exploitation, simply patching isn't enough. Organizations must assume compromise for any site that was running a vulnerable version during the exploitation window (early May 2026 onwards).

This means a mandatory rotation of all configured third-party API keys and credentials that were ever integrated with the Gravity SMTP plugin. If you're using a tool like Bitwarden or 1Password for credential management, invalidate and regenerate those sensitive keys. The CISA KEV listing for CVE-2026-4020 mandates remediation by June 21, 2026, under Binding Operational Directive (BOD) 26-04, for all federal civilian executive branch agencies. This deadline should serve as a strong indicator for all organizations to prioritize this update. There is no viable workaround; the patch is the only effective solution.

Here are the details for affected and patched versions:

Patch Links:

• NVD Entry: CVE-2026-4020
• Wordfence Advisory: Critical Unauthenticated Sensitive Information Exposure Vulnerability in Gravity SMTP
• CISA KEV Entry: Known Exploited Vulnerabilities Catalog

The timeline from the patch release on March 17, 2026, to public disclosure on March 30, 2026, was 13 days. The gap from patch availability to the beginning of active exploitation in early May 2026 was approximately 51 days. This long window gave attackers a significant advantage against unpatched systems. The CISA KEV remediation deadline for CVE-2026-4020 is June 21, 2026.

Technical Breakdown

The core vulnerability in CVE-2026-4020 stems from a critical flaw in the permission_callback function for a specific REST API endpoint within the Gravity SMTP plugin. For the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, this callback was hardcoded to return true unconditionally. This means that regardless of whether a user was authenticated or had any specific permissions, the API endpoint would always allow access.

Think of it like building a secure vault for sensitive documents. You've got a vault door with a complex lock, but you've wired the "unlock" button directly to the "open" signal, bypassing the actual locking mechanism. Anyone can walk up, press the button, and the door swings open. In this case, the permission_callback is that "unlock" button, and it's always set to "open" without checking any credentials or authorization.

Attackers discovered that by hitting this /wp-json/gravitysmtp/v1/tests/mock-data endpoint and appending the query parameter ?page=gravitysmtp-settings, they could trigger an internal method, register_connector_data(). This method, designed for debugging or system reporting, would then compile and dump a comprehensive 365 KB JSON System Report. This report contained not only system diagnostics (PHP version, web server details, WordPress installation info) but also the highly sensitive API keys and secrets configured within the plugin for various email services.

This vulnerability is categorized under CWE-200 (Sensitive Information Exposure), CWE-306 (Missing Authentication for Critical Function), and CWE-862 (Missing Authorization). The specific MITRE ATT&CK technique used here is T1190 Exploit Public-Facing Application, as attackers directly exploit a flaw in a web-facing component to gain access to sensitive data. From a NIST SP 800-53 perspective, the absence of proper checks violates AC-3 Access Enforcement, which requires systems to enforce authorized access to information system resources.

The simplicity of exploitation, coupled with the high value of the exposed data, makes this an extremely dangerous vulnerability. No sophisticated tools or deep technical knowledge beyond understanding HTTP requests are needed to exploit this.

Historical Context

The active exploitation of CVE-2026-4020 reflects a recurring pattern in the WordPress ecosystem: widely deployed plugins with fundamental authentication or authorization bypasses leading to massive data exposure or even remote code execution (RCE). In September 2020, we saw a similar, though more severe, incident with the WP File Manager RCE (CVE-2020-25213).

In that case, attackers exploited an unauthenticated RCE vulnerability in the WP File Manager plugin, which had over 1 million active installs, to upload malicious files directly to affected WordPress sites. Attackers quickly exploited this, gaining shell access and further compromising web servers. While CVE-2026-4020 is "only" sensitive information exposure, the similarities are striking: both involved widely used WordPress plugins, both were unauthenticated, and both led to rapid, widespread exploitation shortly after public disclosure.

The key difference lies in the impact: WP File Manager RCE provided full system control, whereas Gravity SMTP CVE-2026-4020 focuses on credential harvesting. However, the end goal is often the same – gaining a foothold for further attacks. Exfiltrated API keys from Gravity SMTP can lead to email account takeover, which is a powerful vector for phishing or supply chain attacks. Both incidents highlight the critical importance of secure coding practices, particularly for authentication and authorization logic, in popular open-source platforms. They also underscore the speed at which threat actors weaponize publicly disclosed flaws in high-value targets.

Data at a Glance

The CVEDaily Take

The nearly two-month gap between the Gravity SMTP patch release and the onset of mass exploitation, coupled with the immense volume of blocked attempts, reveals a critical weakness in the WordPress ecosystem's patching velocity. This wasn't a complex zero-day, but a fundamental authorization bypass that dumps credentials. The fact that CISA had to step in emphasizes the severity. We believe plugin developers often understate the true impact of "information exposure" when it involves live credentials, and the security community's reliance on CVSS scores can sometimes misrepresent the actual threat. Attackers don't care about a "medium" CVSS score if it hands them live API keys; they hit these endpoints with automated tools and scrape everything they can. It's not enough to simply patch Gravity SMTP CVE-2026-4020; teams must assume compromise for any affected site and rotate all configured credentials. Tools like CrowdStrike Falcon or SentinelOne can help detect post-exploitation activity or credential abuse, but the initial exfiltration itself is often just a simple HTTP request, easily missed by traditional network monitoring if not specifically looking for this endpoint.

Have you implemented automated credential rotation for third-party services integrated with your WordPress sites?

FAQ

Q: What is CVE-2026-4020?
A: CVE-2026-4020 is an unauthenticated sensitive information exposure vulnerability in the Gravity SMTP WordPress plugin (versions up to and including 2.1.4). It allows an attacker to extract a system report containing sensitive data, including live API keys for various email services, without needing any authentication.

Q: How do I patch Gravity SMTP CVE-2026-4020?
A: To patch Gravity SMTP CVE-2026-4020, update your Gravity SMTP WordPress plugin to version 2.1.5 or later. After updating, assume compromise and immediately rotate all third-party API keys and credentials configured within the plugin, as these may have been exfiltrated.

Q: What data can attackers steal using this vulnerability?
A: Attackers can steal a wide range of sensitive data, including configuration details, secrets, OAuth tokens, and critically, live API keys for services like Amazon SES, Google, Mailjet, Resend, and Zoho. Additionally, they can gather detailed system information such as PHP version, web server and database versions, WordPress version, and a list of active plugins and themes, which aids in further targeted attacks.