WordPress Security Breach: Gravity SMTP Plugin Flaw Exploited by Attackers

Post Views: 13

Threat actors are leveraging a medium-severity vulnerability in the Gravity SMTP WordPress plugin to extract comprehensive system information, according to a report.

Vulnerability Overview

The Gravity SMTP plugin, designed to enhance email delivery through integration with SMTP providers and API services, is affected by a sensitive data exposure flaw tracked as CVE-2026-4020 with a CVSS score of 5.3. This issue has been actively exploited since early May 2026.

Flaw Description

The vulnerability resides in a REST API endpoint that consistently returns a true value, granting unrestricted access to any user. When a specific parameter is included in a query, the endpoint divulges internal connector data in JSON format. This data encompasses the full system report, including PHP and WordPress versions, loaded extensions, web server configurations, document root paths, database details, active plugins and themes, WordPress configuration settings, and configured API keys or tokens.

Security Implications

The flaw arises from the endpoint’s lack of authentication requirements, enabling unauthorized actors to collect credentials for impersonation and gather detailed insights into the site’s software infrastructure. This information can then be used to identify and exploit additional vulnerabilities.

Exploitation Details

Security researchers have documented in-the-wild exploitation of the vulnerability since early May. Attackers have been deploying unauthenticated GET requests to the affected endpoint to retrieve the System Report JSON object. A significant increase in attacks targeting CVE-2026-4020 was observed in June, with over 17 million attempted exploits blocked by the security firm.

Recommendations

Administrators are urged to update their Gravity SMTP installations to version 2.1.5 immediately and review server access logs for requests directed at the vulnerable endpoint, as the exploitation does not leave obvious traces. The security firm emphasized that users running vulnerable versions of the plugin, particularly those with third-party integrations such as Amazon SES, Google, Mailjet, Resend, or Zoho, should assume API keys, secrets, and OAuth tokens may have been compromised. Rotating these credentials is strongly advised following the plugin update.

Patch Management Importance

The vulnerability highlights the risks associated with exposed API endpoints and underscores the importance of timely patch management. Affected organizations are encouraged to conduct thorough audits of their systems and implement additional security measures to mitigate potential risks.