Hackers are actively exploiting CVE 2026 4020 a critical Gravity SMTP WordPress plugin flaw that exposes API keys OAuth tokens and full system reports through an unauthenticated REST API endpoint.

Have you ever thought that you are sleeping soundly thinking your website email service is secure and on the other hand some unknown person is seeing a map of your entire digital vault on his screen by just opening a simple URL.

This story sounds strange, but this is happening right now with millions of WordPress websites that rely on the Gravity SMTP plugin to send their emails. No login no password just a single query parameter and the attacker has everything he needs to destroy your entire site.

Gravity SMTP REST API Information Disclosure Vulnerability Explained

Gravity SMTP is a plugin running on almost a million WordPress websites and is designed to deliver people’s emails reliably. However hidden within this plugin was a REST API endpoint called wp json gravitysmtp v1 tests mock data.

The real issue is that the permission callback function of this endpoint always returned true. This means there was no check to see who the person sending the request was and whether he had the right to see this data or not. Any unknown visitor could directly access this endpoint without logging in.

The real story becomes more dangerous when the attacker adds a query parameter with the page equals gravitysmtp settings to that URL. As soon as this happens the plugin register connector data method is run and populates all the internal connector data.

As a result the server sends back a JSON response of approximately 365 KB containing the entire system report. This vulnerability is being tracked as CVE 2026 4020 and the CVSS scoring system has given it a rating of 5.3 i.e. medium severity. But it would be a big mistake to consider this issue small just by looking at the score because the data that leaks from it holds a lot of power within itself.

When security researchers took a closer look at the leaked JSON they found that it contained details starting from PHP version loaded extensions, web server version document root path database server type and version WordPress version and a list of all active plugins along with their versions.

Along with this even the active theme WordPress configuration details and database table names were clearly visible. The most dangerous part was that API keys and tokens configured within the plugins were also getting exposed which included credentials of major email services like Amazon SES, Google Mailjet Resend and Zoho.

From all this one can understand that the attacker gets not just the data but the blueprint of the entire website. Wordfence itself has written in its advisory that when live third-party API credentials are exposed, the attacker can exploit the site connected email services as per their intentions.

Also the detailed system report makes the attackers job much easier because they no longer need to guess which software stack the site is running on. This information directly becomes the basis for the next attack whether it is SQL injection or taking advantage of some other plugin vulnerability.

Active Exploitation Attack Data Stolen and Patch Guide

This issue is not just in theory but active exploitation has also started and this is what makes this news all the more important. Attackers have started using a simple unauthenticated HTTP GET request method in which they directly call the vulnerable REST API endpoint with parameters like page equals gravitysmtp settings. The server sends back all the sensitive data without any authentication as if a door is opened without a lock.

According to Wordfence they have blocked more than 17 million exploit attempts on this vulnerability so far. The activity started in the beginning of May 2026 but the real storm came around June 6, 2026 when the activity dramatically died down.

The next day these attempts reached more than 4 million per day which itself is a proof of how fast this vulnerability spread among the attacker community. Researchers have also identified some specific IP addresses from which these exploit attempts are coming, including

The good news is that the plugin developers have released a patch in version 2.1.5 fixing this issue. Any website using an older version of Gravity SMTP should update immediately. But simply updating isn’t enough. Wordfence specifically advises that any site that has configured third-party email integrations should consider that their credentials have already been compromised. This means that its important to rotate all API keys and tokens immediately after updating the plugin, whether it’s an Amazon SES secret key or a Google OAuth token.

Additionally the site administrators should carefully check their server logs and look for requests coming from the IP addresses listed above to confirm that their site was not already being targeted. If any suspicious activity is detected simply rotating credentials wonot suffice a security audit of the entire website is also necessary. Email logs should also be checked to determine if any attackers sent unauthorized emails in the site name.

This entire incident once again proves that the most dangerous security area is often where we place the most trust. A simple email plugin which was supposed to send messages became the website secret savior due to a small error in its own internal API. Those who use any third-party plugin on their site should remember that behind convenience there is always a hidden cost and that cost remains unnoticed until an attacker exposes it for their own benefit.