A critical security flaw in the Gravity SMTP WordPress plugin—used by over 100,000 sites—is being actively exploited by hackers to steal sensitive API keys and system reports, according to The Hacker News. Tracked as CVE-2026-4020, the vulnerability allows unauthenticated attackers to extract credentials for services like Amazon SES, Google, and Mailjet, while also exposing server configurations and plugin details. Exploitation surged in early June, with Wordfence blocking over 17 million attack attempts since May, including a peak of 4 million requests on June 7.
How the Exploit Works: A Flawed API Endpoint
The flaw stems from a misconfigured REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, which bypasses authentication checks due to a permission_callback that always returns “true,” as The Hacker News reports. When attackers append the query parameter ?
- API keys and OAuth tokens for third-party email services (Amazon SES, Google, Mailjet, Resend, Zoho)
- Server and PHP environment details (versions, loaded extensions, document root paths)
- WordPress configuration (active plugins, themes, database table names)
- Database server type and version
Wordfence researchers describe the impact as severe: "The exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site." The plugin’s developer patched the flaw in version 2.1.5, released March 17, but BleepingComputer notes that exploitation began as early as May, with a sharp escalation in early June.
The Scale of the Attack: 17 Million Requests and Counting
Exploitation has been relentless. Wordfence’s firewall has blocked over 17 million requests targeting CVE-2026-4020, with activity spiking dramatically after June 6, according to The Hacker News. The most active IP addresses—including 45.148.10.95 and 185.8.106.37—have been flagged as sources of malicious traffic. The420.in frames this as a "coordinated, aggressive reconnaissance campaign," emphasizing that the stolen system reports provide attackers with a detailed blueprint for follow-up attacks.
While the CVSS score rates the vulnerability as medium-severity (5.3), security experts warn the real-world impact is far more dangerous. The exposed API keys allow attackers to send emails on behalf of compromised sites, while the system report reveals unpatched vulnerabilities and misconfigurations that could lead to full server compromise. BleepingComputer highlights that this is not just about credential theft—it’s about turning exposed sites into footholds for broader attacks.
Who’s at Risk? The 100,000 Sites Running Vulnerable Plugins
Gravity SMTP is installed on over 100,000 WordPress sites, many of which likely use third-party email integrations. The plugin’s popularity makes it a prime target, but the real damage lies in the data exposed. As The420.
- Web server versions and configurations
- Active plugins and their versions (potential for further exploitation)
- Database metadata (table names, server type)
- WordPress core and theme details
This level of exposure is particularly dangerous for enterprise sites, where attackers can use the stolen data to craft targeted follow-up attacks. The Hacker News quotes Wordfence researchers: "The detailed system report significantly lowers the effort required to plan further attacks against the site." For smaller sites, the risk is still severe—compromised email services can be used for phishing, spam, or even ransomware distribution.
What Sites Should Do Now: Patch, Rotate, and Monitor
WordPress site owners using Gravity SMTP versions 2.1.4 or older must act immediately. The fix is straightforward: update to version 2.1.5, rotate all exposed API keys, and monitor server logs for suspicious activity. BleepingComputer advises checking access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data with the ?page=gravitysmtp-settings parameter—a clear indicator of compromise.
- Block the known malicious IP addresses (45.148.10.95, 185.8.106.37, etc.)
- Review server logs for unauthorized access to the API endpoint
- Rotate credentials for all connected email services (Amazon SES, Google, etc.)
- Audit other plugins for similar misconfigurations
While the patch is available, The420.in warns that the damage is already done for many sites. Attackers have been harvesting credentials since May, meaning some organizations may already be compromised. The advice is clear: assume breach, rotate keys, and harden defenses.
The Bigger Picture: Why This Matters Beyond WordPress
This incident underscores a broader trend: even seemingly minor vulnerabilities in widely used plugins can become catastrophic when exploited at scale. The Gravity SMTP flaw is not just about WordPress—it’s about the ripple effects of exposed API keys and system reports. As The Hacker News notes, the same techniques could be applied to other plugins with similar misconfigurations.
For enterprises, the lesson is clear: third-party integrations—especially those handling sensitive credentials—must be treated as high-risk. The fact that this vulnerability was patched months ago but still being exploited highlights another critical issue: many site owners fail to update plugins promptly. Automated updates and security monitoring could have mitigated much of the damage.
Looking ahead, we can expect more aggressive exploitation of similar flaws. The fact that attackers are already scanning for this vulnerability suggests they’re building playbooks for future campaigns. For WordPress administrators, the takeaway is simple: treat every plugin update as a security critical patch, not just a feature release.
One thing is certain: this won’t be the last time a widely used plugin becomes a gateway for large-scale credential theft. The question is whether the WordPress community will respond with better security practices—or if attackers will keep finding new ways in.
Find more reporting in our Tech section.
