The Gravity SMTP plugin for WordPress, installed on approximately 100,000 sites, is being massively exploited via the CVE-2026-4020 vulnerability (CVSS 5.3). Despite its medium CVSS score, the real danger of this flaw is significantly higher than the base rating: an unauthenticated attacker can, with a single HTTP request, obtain email service API keys, OAuth tokens, and a full system report of the site. According to Wordfence, more than 17 million exploitation attempts have been blocked. Owners of affected sites must immediately update the plugin to version 2.1.5 and rotate all mail integration credentials.
Technical essence of the vulnerability
The root of the problem is a REST API endpoint registered at the path /wp-json/gravitysmtp/v1/tests/mock-data. As reported by Wordfence researchers, the permission_callback parameter of this endpoint unconditionally returns true, which completely disables authentication checks. Any visitor can access it without any credentials.
When the request parameter ?page=gravitysmtp-settings is added, the register_connector_data() method is triggered, which populates the internal connector data. As a result, the endpoint returns approximately 365 KB of JSON data containing a full system report. The volume of exposed information is critical:
- API keys and tokens for email services — Amazon SES, Google, Mailjet, Resend, Zoho
- PHP version and loaded extensions
- Web server version and path to the document root
- Database server type and version, table names
- WordPress version, list of all active plugins with versions, active theme
- WordPress configuration details
In effect, a single unauthenticated GET request gives the attacker a complete map of the site’s technology stack and valid credentials for external services. This turns a formally medium CVSS vulnerability into a serious threat: the attacker gains not just information, but working access keys to the email infrastructure.
Scale and timeline of exploitation
According to Wordfence telemetry, scanning for the vulnerable endpoint began in early May 2026. Activity spiked around June 6, 2026, reaching a peak of more than 4,000,000 requests per day the following day. In total, Wordfence recorded and blocked over 17 million exploitation attempts.
The attacks consist of simple HTTP GET requests to the vulnerable endpoint with the ?page=gravitysmtp-settings parameter. The low barrier to entry — no need for authentication, complex exploit chains, or specialized tooling — explains the highly widespread scanning activity.
Indicators of compromise
Wordfence identified the following IP addresses as attack sources:
- 45.148.10.95
- 45.148.10.120
- 193.32.162.60
- 176.65.148.139
- 176.65.148.30
- 173.199.90.188
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
The characteristic clustering of addresses in the 185.8.106.0/24, 185.8.107.0/24, 45.148.10.0/24 and 176.65.148.0/24 subnets indicates the use of a limited set of hosting providers or VPS infrastructure for coordinated scanning.
Impact assessment
The consequences of successful exploitation go beyond a typical information leak. By obtaining valid email service API keys, an attacker can send email on behalf of the compromised site. This enables phishing campaigns, distribution of malware via trusted domains, and compromise of business correspondence.
The detailed system report — versions of all stack components, plugin list, database structure — significantly reduces the cost of preparing targeted attacks. The attacker can select exploits tailored to specific versions of installed software without additional reconnaissance.
The highest risk is for sites using Gravity SMTP with configured integrations to Amazon SES, Google Workspace, Mailjet, Resend, or Zoho — these are precisely the credentials exposed in the report.
Response recommendations
- Immediately update the Gravity SMTP plugin to version 2.1.5, in which, according to Wordfence, the vulnerability is fixed.
- Assume compromise if the plugin was used with configured email integrations prior to updating. Rotate all API keys and tokens for Amazon SES, Google, Mailjet, Resend, Zoho and any other connected services.
- Check server logs for GET requests to the path
/wp-json/gravitysmtp/v1/tests/mock-data, especially with the?page=gravitysmtp-settingsparameter. Pay particular attention to requests from the IP addresses listed above. - Block the specified IP addresses at the WAF or web server level.
- Review your email service logs for any unauthorized email sending using compromised credentials.
This incident demonstrates that a CVSS score of 5.3 does not reflect the real danger when exposed data includes valid accounts for external services. For site owners using Gravity SMTP, it is critically important not to stop at updating the plugin: without rotating all keys and tokens for email integrations, credentials previously extracted by attackers remain valid and can be used for attacks regardless of whether the vulnerability itself has been closed.
