Attackers are actively exploiting a security vulnerability in the Gravity SMTP WordPress plugin that allows unauthenticated access to sensitive site and configuration data, including API keys, OAuth tokens, and email integration secrets. The flaw, tracked as CVE-2026-4020 and affecting roughly 100,000 websites, is a medium-severity information disclosure issue that has already been weaponized in large-scale scanning and exploitation campaigns.
The vulnerability resides in a REST API endpoint that improperly allows public access due to an overly permissive permission check. When combined with a specific query parameter, the plugin generates a large system report response—around 365 KB of JSON—containing detailed internal environment data. This includes server configuration details, WordPress versioning, active plugins and themes, database information, and third-party service credentials used for email delivery.
Security researchers at Wordfence report that this exposed data can be used directly to hijack email services configured through providers such as Amazon SES, Mailjet, Google, and Zoho, enabling attackers to send unauthorized email on behalf of compromised sites. Beyond immediate credential abuse, the information also provides a detailed blueprint of each affected website, significantly lowering the barrier for follow-on attacks.
The issue has been patched in Gravity SMTP version 2.1.5, but exploitation activity began well before disclosure and has since escalated sharply. Wordfence has blocked millions of attack attempts targeting the flaw, with traffic originating from multiple IP addresses tied to ongoing scanning campaigns. Site administrators are urged to update immediately and rotate any exposed credentials, particularly those tied to external email services.
