Full Report
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens
Analysis Summary
# Vulnerability: Sensitive Information Disclosure in Gravity SMTP
## CVE Details
- **CVE ID:** CVE-2026-4020
- **CVSS Score:** 5.3 (Medium)
- **CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) / CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Gravity SMTP (WordPress Plugin)
- **Versions:** All versions prior to 2.1.5
- **Configurations:** Sites with the plugin installed and third-party email integrations (API/OAuth) configured.
## Vulnerability Description
The vulnerability exists due to an improperly secured REST API endpoint located at `/wp-json/gravitysmtp/v1/tests/mock-data`. The plugin uses a `permission_callback` that unconditionally returns `true`, granting access to any unauthenticated user.
When a request is made to this endpoint with the `?page=gravitysmtp-settings` query parameter, the internal `register_connector_data()` method is triggered. This populates a full "System Report" containing approximately 365 KB of JSON data, including WordPress environment details and clear-text API keys for various mail services.
## Exploitation
- **Status:** Exploited in the wild (Extensive active exploitation recorded).
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated HTTP GET request).
## Impact
- **Confidentiality:** High (Exposure of API keys, OAuth tokens, and full system environment details).
- **Integrity:** Medium (Stolen keys allow attackers to send unauthorized emails or manipulate mail services).
- **Availability:** Low (Potential for service disruption of mail accounts).
## Remediation
### Patches
- **Update to Version 2.1.5** or higher immediately. This version patches the `permission_callback` to ensure only authorized users can access the endpoint.
### Workarounds
- No official workaround provided; upgrading the plugin is the only definitive fix.
- If upgrading is delayed, use a Web Application Firewall (WAF) to block requests to the specific endpoint path.
## Detection
### Indicators of Compromise (IoCs)
**Known Malicious IPs:**
- 45[.]148[.]10[.]95
- 193[.]32[.]162[.]60
- 176[.]65[.]148[.]139
- 173[.]199[.]90[.]188
- 45[.]148[.]10[.]120
- 185[.]8[.]107[.]155
- 185[.]8[.]106[.]37
- 185[.]8[.]106[.]92
- 185[.]8[.]106[.]145
- 176[.]65[.]148[.]30
### Detection Methods
- **Log Analysis:** Search web server access logs for HTTP GET requests containing `/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings`.
- **Credential Audit:** If the vulnerable version was active, **rotate all API keys** and secrets for connected services (e.g., Amazon SES, Google, Mailjet, Zoho) immediately.
## References
- **Wordfence Advisory:** hxxps://www[.]wordfence[.]com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/
- **The Hacker News:** hxxps://thehackernews[.]com/2026/06/hackers-exploit-gravity-smtp-wordpress.html