Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
An unauthenticated information disclosure vulnerability (CVE-2026-4020) in the WordPress plugin Gravity SMTP affects all versions up to 2.1.4. The flaw allows attackers to access a detailed system report via an exposed REST API endpoint, leaking sensitive information such as API keys, email service credentials, WordPress configuration, and server details. The vulnerability has been fixed in version 2.1.5. Active exploitation attempts have been observed and blocked by security tools.
AI Analysis
Technical Summary
CVE-2026-4020 is an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin affecting all versions up to 2.1.4. The issue arises because the plugin's REST API endpoint '/wp-json/gravitysmtp/v1/tests/mock-data' has a 'permission_callback' that always returns 'true', allowing unauthenticated GET requests to retrieve a comprehensive JSON system report. This report contains sensitive data including API keys, OAuth tokens, credentials for third-party email services (Amazon SES, Google, Mailjet, Resend, Zoho), WordPress configuration details, server and PHP environment information, and database configuration details. The vulnerability enables attackers to steal email service credentials and gather detailed information about the site’s software stack, facilitating further attacks. The flaw was fixed in version 2.1.5 released on March 17, 2026. Wordfence has reported millions of blocked exploitation attempts since early June 2026.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to obtain sensitive information such as API keys, OAuth tokens, and credentials for third-party email services, which can be abused to impersonate the victim and misuse email services. Additionally, detailed system and configuration information exposure lowers the effort required to plan further attacks against the affected site. Although rated medium severity by CVE, the ability to exploit without authentication and the volume of observed exploitation attempts indicate a significant risk to affected sites.
Mitigation Recommendations
A patch is available and should be applied: upgrade the Gravity SMTP plugin to version 2.1.5 or later. The vulnerability is fixed in this version. Site administrators should also monitor their web server access logs for requests to '/wp-json/gravitysmtp/v1/tests/mock-data' with the '?page=gravitysmtp-settings' parameter as an indicator of compromise. Blocking known malicious IP addresses identified by security vendors like Wordfence can help reduce exploitation attempts. No additional vendor advisory indicates alternative mitigations or that no action is required.
Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
Description
An unauthenticated information disclosure vulnerability (CVE-2026-4020) in the WordPress plugin Gravity SMTP affects all versions up to 2.1.4. The flaw allows attackers to access a detailed system report via an exposed REST API endpoint, leaking sensitive information such as API keys, email service credentials, WordPress configuration, and server details. The vulnerability has been fixed in version 2.1.5. Active exploitation attempts have been observed and blocked by security tools.
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4020 is an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin affecting all versions up to 2.1.4. The issue arises because the plugin's REST API endpoint '/wp-json/gravitysmtp/v1/tests/mock-data' has a 'permission_callback' that always returns 'true', allowing unauthenticated GET requests to retrieve a comprehensive JSON system report. This report contains sensitive data including API keys, OAuth tokens, credentials for third-party email services (Amazon SES, Google, Mailjet, Resend, Zoho), WordPress configuration details, server and PHP environment information, and database configuration details. The vulnerability enables attackers to steal email service credentials and gather detailed information about the site’s software stack, facilitating further attacks. The flaw was fixed in version 2.1.5 released on March 17, 2026. Wordfence has reported millions of blocked exploitation attempts since early June 2026.
Potential Impact
Exploitation of this vulnerability allows unauthenticated attackers to obtain sensitive information such as API keys, OAuth tokens, and credentials for third-party email services, which can be abused to impersonate the victim and misuse email services. Additionally, detailed system and configuration information exposure lowers the effort required to plan further attacks against the affected site. Although rated medium severity by CVE, the ability to exploit without authentication and the volume of observed exploitation attempts indicate a significant risk to affected sites.
Mitigation Recommendations
A patch is available and should be applied: upgrade the Gravity SMTP plugin to version 2.1.5 or later. The vulnerability is fixed in this version. Site administrators should also monitor their web server access logs for requests to '/wp-json/gravitysmtp/v1/tests/mock-data' with the '?page=gravitysmtp-settings' parameter as an indicator of compromise. Blocking known malicious IP addresses identified by security vendors like Wordfence can help reduce exploitation attempts. No additional vendor advisory indicates alternative mitigations or that no action is required.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/hackers-exploit-info-disclosure-bug-in-gravity-smtp-wordpress-plugin/","fetched":true,"fetchedAt":"2026-06-19T20:27:55.841Z","wordCount":773}
Threat ID: 6a35a64b91872736766671ec
Added to database: 6/19/2026, 8:27:55 PM
Last enriched: 6/19/2026, 8:28:03 PM
Last updated: 6/19/2026, 11:48:03 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.