CVE-2026-4020 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Gravity SMTP plugin for WordPress in all versions up to and including 2.1.4. The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data that has a permission_callback function which unconditionally returns true, effectively allowing any unauthenticated user to access it. When the query parameter ?page=gravitysmtp-settings is appended, the plugin’s register_connector_data() method is triggered, which populates internal connector data structures. This causes the endpoint to return a large JSON payload (~365 KB) containing a comprehensive system report. The data exposed includes critical configuration details such as PHP version, loaded PHP extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with their versions, the active theme, WordPress configuration details, database table names, and any API keys or tokens configured within the plugin. This information leakage can provide attackers with valuable intelligence to craft targeted attacks, exploit other vulnerabilities, or escalate privileges. The vulnerability requires no authentication or user interaction, making it trivially exploitable remotely over the network. The CVSS v3.1 base score is 7.5 (High), reflecting the ease of exploitation and the high confidentiality impact, while integrity and availability remain unaffected. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date.

The exposure of detailed system and configuration information can significantly aid attackers in reconnaissance activities, enabling them to identify software versions, plugins, and API keys that may have other vulnerabilities or misconfigurations. This can lead to targeted attacks such as privilege escalation, code injection, or data breaches. Organizations using the Gravity SMTP plugin are at risk of having their internal environment details leaked to unauthorized parties, which compromises confidentiality and increases the attack surface. The exposure of API keys and tokens is particularly critical as it may allow attackers to impersonate legitimate services or gain unauthorized access to other integrated systems. Although the vulnerability does not directly affect system integrity or availability, the information disclosure can be a stepping stone for more severe attacks. The risk is amplified for organizations with sensitive data or critical infrastructure running WordPress sites with this plugin installed. Attackers do not need any credentials or user interaction, making the threat accessible to any remote adversary scanning for vulnerable endpoints.

Immediate mitigation should include disabling or restricting access to the vulnerable REST API endpoint /wp-json/gravitysmtp/v1/tests/mock-data until a patch is available. This can be done by implementing custom permission callbacks that enforce authentication and authorization checks or by using web application firewalls (WAFs) to block unauthenticated requests to this endpoint. Administrators should audit their WordPress installations for the Gravity SMTP plugin and upgrade to a patched version once released by RocketGenius. In the absence of an official patch, applying temporary code-level fixes such as modifying the plugin to require proper permissions on the REST endpoint is recommended. Additionally, organizations should rotate any API keys or tokens that may have been exposed due to this vulnerability. Monitoring web server logs for suspicious access patterns to the REST API endpoint can help detect exploitation attempts. Regular security assessments and plugin updates should be enforced to prevent similar issues. Finally, limiting plugin usage to trusted administrators and minimizing plugin footprint reduces exposure.