Critical Information Disclosure in Gravity SMTP Plugin: Active Exploitation of API Credentials
Security researchers have identified a significant information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is currently being leveraged by threat actors to exfiltrate highly sensitive configuration data. By targeting a flaw in the plugin’s REST API implementation, attackers are successfully harvesting API keys, OAuth tokens, and other authentication secrets used to power enterprise email workflows.
The vulnerability, identified as CVE-2026-4020, carries a CVSS score of 5.3. While this score suggests a moderate severity, the real-world impact is much higher due to the nature of the data being exposed. The flaw affects all versions of the plugin up to and including 2.1.4, placing over 100,000 WordPress installations at immediate risk.
Technical Deep Dive: The REST API Misconfiguration
The root cause of this vulnerability lies in a breakdown of the authorization logic within a specific REST API endpoint: /wp-json/gravitysmtp/v1/tests/mock-data. During development or testing, it appears a “mock data” endpoint was left active. Critically, the permission_callback for this endpoint was improperly configured to always return true, effectively bypassing all WordPress authentication requirements.
This architectural oversight allows an unauthenticated attacker to send a simple HTTP GET request to the endpoint with the query parameter ?page=gravitysmtp-settings. Upon execution, the server responds with a JSON payload of approximately 365 KB. This payload is not merely metadata; it is a comprehensive system dump containing:
- Detailed environment specifications (PHP version, active plugin lists).
- Database configuration details.
- Critical Authentication Secrets: API keys and OAuth tokens for major third-party email providers.
As reported by Wordfence security researchers, this stolen data includes credentials for high-value services such as Amazon SES, Google, Mailjet, Zoho, and Resend. An attacker possessing these tokens can effectively hijack a site’s email infrastructure, send phishing campaigns from a legitimate domain, or use the reconnaissance data to launch more sophisticated, targeted attacks against the organization.
While the vendor released a patch (version 2.1.5) on March 17, 2026, following responsible disclosure, the window of opportunity for attackers has remained wide open. In recent weeks, exploitation attempts have scaled aggressively. The Wordfence firewall has intercepted more than 17 million malicious requests, with a massive spike of 4 million attempts recorded in a single 24-hour window between June 7 and June 11, 2026.
Indicators of Compromise (IoCs)
Defenders and SOC analysts should monitor web server access logs for the following patterns. Because this is a data exfiltration attack rather than a file-injection attack, there may be no malicious files on the disk; the evidence will reside in your traffic logs.
| Type | Indicator | Description |
|---|---|---|
| Target URL Path | /wp-json/gravitysmtp/v1/tests/mock-data |
The vulnerable REST API endpoint. |
| Full Exploit String | /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings |
The specific request used to trigger the data dump. |
| HTTP Method | GET |
Standard method used to retrieve the JSON payload. |
| Example User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) ... Chrome/131.0.0.0 |
Commonly observed User-Agent in automated scanning. |
| Known Malicious IPs | 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, 176.65.148.30 |
High-volume source IPs for exploitation attempts. |
Security Note: IP addresses provided above should be treated as active threats.
Immediate Remediation Steps
If you are managing a WordPress site using Gravity SMTP, please follow these steps immediately:
- Update the Plugin: Ensure you are running Gravity SMTP version 2.1.5 or higher. This version contains the necessary permission fixes to close the endpoint.
- Rotate All Credentials: This is the most critical step. Assume that any API keys, SMTP passwords, or OAuth tokens stored in the plugin have been compromised. Generate new secrets in your service providers (Amazon SES, Google, etc.) and update your plugin settings.
- Audit Access Logs: Review your web server logs for any
GETrequests to the/gravitysmtp/v1/tests/mock-datapath. If you see successful200 OKresponses to this path, treat the installation as compromised. - Implement WAF Rules: If you utilize a Web Application Firewall (WAF), ensure rules are active to block unauthorized access to the
/wp-json/gravitysmtp/path.
This incident serves as a stark reminder that “low-severity” vulnerabilities in authentication logic can quickly escalate into high-impact security breaches when they grant access to the “keys to the kingdom.”