Menace actors are exploiting a just lately patched safety flaw impacting Gravity SMTP, a WordPress plugin that is put in on about 100,000 websites.
The vulnerability, tracked as CVE-2026-4020 (CVSS rating: 5.3), is a medium-severity data disclosure flaw that may enable unauthenticated attackers to extract delicate knowledge, comparable to configuration knowledge, API keys, secrets and techniques, and OAuth tokens configured for the plugin’s electronic mail integrations.
“This is because of a REST API endpoint registered at /wp-json/gravitysmtp/v1/checks/mock-data with a permission_callback that unconditionally returns true, permitting any unauthenticated customer to entry it,” Wordfence stated.
“When the ?web page=gravitysmtp-settings question parameter is appended, the plugin’s register_connector_data() technique populates inner connector knowledge, inflicting the endpoint to return roughly 365 KB of JSON containing the complete System Report.”
In consequence, an unauthenticated attacker can weaponize this concern to retrieve a variety of knowledge, together with –
- PHP model
- Loaded extensions
- Net server model
- Doc root path
- Database server sort and model
- WordPress model
- All energetic plugins with variations
- Lively theme
- WordPress configuration particulars
- Database desk names
- API keys/tokens configured within the plugin, comparable to Amazon SES, Google, Mailjet, Resend, and Zoho
Attackers may then leverage this publicity to reap credentials that could possibly be abused to ship electronic mail on behalf of the location, in addition to glean in depth particulars of the location’s software program stack, which may act as a basis for follow-on assaults.
“As with all delicate data publicity vulnerabilities, the impression is determined by what knowledge is uncovered,” Wordfence added. “On this case, the publicity of stay third-party API credentials means an attacker may abuse the location’s related electronic mail companies, whereas the detailed system report considerably lowers the trouble required to plan additional assaults in opposition to the location.”
A patch for the vulnerability has been launched in model 2.1.5 of the plugin. Dangerous actors have already pounced on the defect by sending unauthenticated HTTP GET requests to the weak REST API endpoint with the “?web page=gravitysmtp-settings” question parameter, inflicting the server to return useful details about the location with out requiring any authentication.
Wordfence has blocked greater than 17 million exploit makes an attempt concentrating on CVE-2026-4020 up to now, with preliminary exercise commencing firstly of Might 2026 earlier than spiking up dramatically round June 6, 2026, touching a excessive of over 4,000,000 requests a day later. The exploit efforts have originated from the next IP addresses –
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Web site house owners operating a weak model of the Gravity SMTP plugin and have configured third-party electronic mail integrations ought to assume compromise, and rotate the credentials after updating the plugin to the newest model as quickly as attainable. It is also suggested to evaluate server log information for requests originating from the aforementioned IP addresses for any suspicious requests to the API endpoint.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
