What Happened

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020. The plugin, which is active on over 100,000 WordPress sites, handles outbound email delivery by routing messages through external SMTP servers. The vulnerability exposes the SMTP credentials configured in the plugin — including the SMTP host, port, username, and password — to unauthenticated attackers.

The flaw resides in a REST API endpoint registered by Gravity SMTP whose permission_callback function unconditionally returns true, meaning no authentication or authorization check is performed. An unauthenticated attacker can send a simple GET request to the exposed endpoint and receive a comprehensive JSON “System Report” generated by the plugin. This report contains the SMTP configuration, credentials, and detailed information about the site’s software stack.

The vulnerability affects all versions of Gravity SMTP from 2.1.4 and older. It was patched in version 2.1.5, released on March 17, 2026, but many sites remain unpatched. WordPress security company Defiant reports that its Wordfence firewall has blocked more than 17 million exploitation attempts to date, with a dramatic spike on June 7, 2026 when 4 million requests were blocked in a single day.

A key indicator of compromise is HTTP GET requests to the REST API path /wp-json/gravitysmtp/v1/tests/mock-data, particularly those including the ?page=gravitysmtp-settings query parameter. Administrators should check their web server access logs for requests matching this pattern.

Impact

• SMTP Credential Exposure: Attackers obtain the SMTP hostname, port, encryption type, username, and password in plaintext. This grants full access to the email-sending infrastructure.
• Email Interception and Spoofing: With valid SMTP credentials, attackers can connect to the mail server and send emails that appear to originate from the legitimate domain, bypassing SPF, DKIM, and DMARC controls — because the emails are sent through the authorized mail server.
• Phishing and Business Email Compromise (BEC): Spoofed emails can be used to target customers, partners, and employees with convincing phishing lures, invoice fraud, or credential harvesting campaigns.
• Reputation Damage: If the compromised SMTP credentials are used for spam or phishing campaigns, the sending domain and IP reputation may be degraded, causing legitimate emails to be blocked or land in spam folders.
• Software Stack Reconnaissance: The exposed System Report reveals the full WordPress version, active plugins and their versions, theme details, PHP version, database type, and server environment. Attackers use this inventory to identify additional vulnerabilities to exploit.
• Regulatory and Compliance Exposure: The unauthorized access to email systems may constitute a data breach under GDPR, CCPA, HIPAA, or other regulatory frameworks depending on the nature of the data transmitted through the email system.

Fix

1. Update Gravity SMTP Immediately: Upgrade to version 2.1.5 or later. The patched version implements proper authorization checks on the REST API endpoint, preventing unauthenticated access to the System Report and SMTP credentials. Update via Dashboard → Updates, or via WP-CLI: wp plugin update gravity-smtp.
2. Rotate All SMTP Credentials: After patching, immediately change the SMTP password on the mail server. Generate a new, strong, unique password. Update the credentials in the Gravity SMTP plugin settings. If the same SMTP credentials are used across multiple services or applications, rotate those as well — assume the credentials have been compromised.
3. Audit Mail Server Access Logs: Review SMTP server authentication and sending logs for unauthorized access or anomalous sending patterns. Look for logins from unfamiliar IP addresses, unusual sending volumes, or emails sent outside normal business hours.
4. Check for Indicators of Compromise: Search web server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data. Block the most prolific exploit source IPs identified by Wordfence. Review WordPress user accounts for any unauthorized additions.
5. Verify DKIM/SPF/DMARC Configuration: Confirm that email authentication records are correctly configured and that no unauthorized sending sources have been added to SPF records.
6. Perform a Full Site Audit: Given the detailed software-stack information exposed, audit all installed plugins and themes for known vulnerabilities and ensure they are fully patched.

Recommendations

1. Deploy a Web Application Firewall (WAF): A properly configured WAF (Wordfence, Sucuri, Cloudflare) can detect and block exploitation attempts targeting the exposed Gravity SMTP REST API endpoint, providing virtual patching even before the plugin is updated.
2. Restrict REST API Access: Consider limiting unauthenticated access to the WordPress REST API at the web server or WAF level. Disable REST API endpoints that are not required for site functionality. Plugins such as “Disable REST API” or custom .htaccess rules can be used to restrict access.
3. Enable Automatic Plugin Updates: Where operationally feasible, enable automatic updates for plugins to reduce the window between patch release and deployment. WordPress core supports auto-updates per-plugin from the Plugins screen.
4. Monitor Access Logs Proactively: Implement log monitoring and alerting for suspicious REST API requests, particularly to paths matching /wp-json/gravitysmtp/ or similar plugin-specific routes.
5. Use Unique, Strong SMTP Credentials: Never reuse SMTP credentials across multiple services. Use a dedicated SMTP account with the minimum necessary permissions for each WordPress installation.
6. Regularly Audit Installed Plugins: Maintain an inventory of all plugins and their versions. Remove any plugins that are inactive, unmaintained, or duplicative. Subscribe to vulnerability notification services (NVD, Wordfence, Patchstack, WPScan) for timely alerts.
7. Implement Principle of Least Privilege: Configure SMTP relay accounts with restrictive permissions — limit sending volumes, restrict sender domains, and enable rate limiting where supported by the mail provider.
8. Conduct Post-Incident Review: If exploitation is confirmed, treat the incident as a credential compromise. Rotate all secrets stored in the WordPress database (wp-config.php salts, database passwords, API keys) and verify that no unauthorized changes were made to the site.

References

• BleepingComputer: Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
• NVD: CVE-2026-4020
• Wordfence — WordPress Security Plugin and WAF
• WordPress REST API Handbook

Disclaimer: This information is provided for educational and defensive purposes only. Always verify details against official NVD entries, vendor advisories, and plugin changelogs before taking action in production environments. Last updated: June 20, 2026.