Cybercriminals are actively exploiting a newly patched security vulnerability affecting the Gravity SMTP plugin, utilized by approximately 100,000 WordPress sites.
This vulnerability, designated as CVE-2026-4020 (with a CVSS score of 5.3), constitutes a medium-severity information disclosure flaw.
It enables unauthorized attackers to extract sensitive information, including configuration data, API keys, secrets, and OAuth tokens related to the plugin’s email integrations.
According to Wordfence, “The issue arises from a REST API endpoint located at /wp-json/gravitysmtp/v1/tests/mock-data, which has a permission callback that indiscriminately returns true, thus allowing any unauthenticated user to access it.”
Furthermore, “appending the ?page=gravitysmtp-settings query parameter activates the plugin’s register_connector_data() method, causing the endpoint to yield roughly 365 KB of JSON, revealing a comprehensive System Report.”
This exposure can be weaponized by assailants to access extensive data, including:
- PHP version
- Loaded extensions
- Web server version
- Document root path
- Database server type and version
- WordPress version
- All active plugins with versions
- Active theme
- WordPress configuration intricacies
- Database table names
- API keys and tokens linked to services like Amazon SES, Google, Mailjet, Resend, and Zoho
Such a breach may allow adversaries to harvest credentials that could be misused to dispatch emails on behalf of the compromised site. Additionally, this detailed insight into the software stack could facilitate further, more sophisticated attacks.
Wordfence cautions, As with any vulnerabilities that expose sensitive information, the ramifications hinge on which data is disclosed.
In this instance, the unveiling of active third-party API credentials empowers an attacker to misuse the site’s email services, while the exhaustive system report significantly diminishes the effort required to orchestrate subsequent attacks.
A remediation patch has been disseminated in version 2.1.5 of the plugin. Perpetrators have already capitalized on this flaw by executing unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the “?page=gravitysmtp-settings” parameter, thus obtaining critical site information without the need for authentication.
Wordfence has thwarted over 17 million exploit attempts targeting CVE-2026-4020 thus far, with significant activity beginning in early May 2026, escalating sharply around June 6, 2026, reaching a peak of over 4,000,000 requests the following day. The exploit attempts have originated from these IP addresses:
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Website administrators using a susceptible version of the Gravity SMTP plugin, particularly if they have configured third-party email integrations, should presume a potential compromise and must promptly rotate credentials post-upgrade to the latest plugin version.
Additionally, it is advisable to scrutinize server log files for any suspicious requests emanating from the specified IP addresses.
Source link: Thehackernews.com.
