Risk actors are exploiting a not too long ago patched safety flaw impacting Gravity SMTP, a WordPress plugin that is put in on about 100,000 websites.
The vulnerability, tracked as CVE-2026-4020 (CVSS rating: 5.3), is a medium-severity data disclosure flaw that may enable unauthenticated attackers to extract delicate knowledge, similar to configuration knowledge, API keys, secrets and techniques, and OAuth tokens configured for the plugin’s e mail integrations.
“This is because of a REST API endpoint registered at /wp-json/gravitysmtp/v1/checks/mock-data with a permission_callback that unconditionally returns true, permitting any unauthenticated customer to entry it,” Wordfence stated.
“When the ?web page=gravitysmtp-settings question parameter is appended, the plugin’s register_connector_data() technique populates inside connector knowledge, inflicting the endpoint to return roughly 365 KB of JSON containing the complete System Report.”
Consequently, an unauthenticated attacker can weaponize this concern to retrieve a variety of data, together with –
- PHP model
- Loaded extensions
- Internet server model
- Doc root path
- Database server kind and model
- WordPress model
- All energetic plugins with variations
- Energetic theme
- WordPress configuration particulars
- Database desk names
- API keys/tokens configured within the plugin, similar to Amazon SES, Google, Mailjet, Resend, and Zoho
Attackers might then leverage this publicity to reap credentials that might be abused to ship e mail on behalf of the location, in addition to glean intensive particulars of the location’s software program stack, which might act as a basis for follow-on assaults.
“As with all delicate data publicity vulnerabilities, the influence is determined by what knowledge is uncovered,” Wordfence added. “On this case, the publicity of stay third-party API credentials means an attacker might abuse the location’s linked e mail companies, whereas the detailed system report considerably lowers the hassle required to plan additional assaults in opposition to the location.”
A patch for the vulnerability has been launched in model 2.1.5 of the plugin. Dangerous actors have already pounced on the defect by sending unauthenticated HTTP GET requests to the susceptible REST API endpoint with the “?web page=gravitysmtp-settings” question parameter, inflicting the server to return worthwhile details about the location with out requiring any authentication.
Wordfence has blocked greater than 17 million exploit makes an attempt focusing on CVE-2026-4020 so far, with preliminary exercise commencing at the beginning of Might 2026 earlier than spiking up dramatically round June 6, 2026, touching a excessive of over 4,000,000 requests a day later. The exploit efforts have originated from the next IP addresses –
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Web site homeowners working a susceptible model of the Gravity SMTP plugin and have configured third-party e mail integrations ought to assume compromise, and rotate the credentials after updating the plugin to the most recent model as quickly as doable. It is also suggested to evaluation server log information for requests originating from the aforementioned IP addresses for any suspicious requests to the API endpoint.
