Online Platform
Exploits

Gravity SMTP Vulnerability Under Active Attack

Published  ·  6 min read

Immediate action is necessary if you use the Gravity SMTP plugin for sending emails through WordPress, as there is currently a vulnerability being exploited allowing attackers access to WordPress users' settings and sensitive information including passwords, API Keys, and OAuth tokens through this plugin.

The vulnerability, CVE-2026-4020, carries a CVSS score of 5.3. It affects Gravity SMTP versions prior to 2.1.5. The plugin is installed on approximately 100,000 WordPress sites.

Wordfence has blocked more than 17 million exploit attempts targeting this flaw. Attackers have been active since early May 2026.

What Is the Gravity SMTP WordPress Vulnerability?

The WordPress Gravity SMTP plugin has a well-known vulnerability which can be accessed by the REST API endpoint /wp-json/gravitysmtp/v1/tests/mock-data and does not have restrictions for authentication of users to access this endpoint.

By appending this to their request with the URL parameter '?page=gravitysmtp-settings' to the request, approximately 365KB of data in the form of a complete JSON object will be returned to the user, including the complete System Report for the user's installation of the plugin.

A System Report includes:
1. A list of both Installed and Not Installed PHP Extensions
2. Current Version of Web Server
3. The Home Directory location for where documents are stored.
4. The type and version of the Database that resides on your server.
5. The Current version of WordPress
6. A list of all currently active plugins and their version number.
7. The active theme currently being used on the WordPress site.
8. Configuration information related to the WordPress installation.
9. A list of all table names stored within your database.
10. A listing of all keys/tokens used in the application.

Exposed API Keys are those for:
1. Amazon SES
2. Google
3. Mailjet
4. Resend
5. Zoho

How Attackers Are Exploiting This

The Gravity SMTP WordPress vulnerability is trivial to exploit. An attacker sends an unauthenticated HTTP GET request to the vulnerable REST API endpoint with the ?page=gravitysmtp-settings parameter. The server returns the full System Report.

You do not need any credentials whatsoever. Once again you do not have to do anything to initiate the exploit; simply send one request.

Wordfence measure exploitation traffic starting in the beginning of May 2026 and saw a large increase in the amount of exploit traffic beginning on June 6, 2026. Just one day after that there were over 4 million requests to exploit.

The exploit efforts have originated from a handful of IP addresses. Blocking these IPs is a partial mitigation, but updating the plugin is the only complete fix.

Why This Matters

API keys and OAuth tokens are the keys to your email services. An attacker can commit the following acts if they are able to steal your email credentials:
1. Your site will be able to send emails on behalf of your email account.
2. Your connected email accounts will be accessed.
3. Email authentication controls will be circumvented.
4. They will be able to utilize your email reputation for spam campaigns.

As a result of the Gravity SMTP vulnerability, both the Gravity SMTP WordPress Plugin and any third-party services you have connected are impacted by exposed credentials.

The detailed system report also provides attackers with a roadmap for follow-on attacks. They know your PHP version. They know your WordPress version. They know all your active plugins. They can target known vulnerabilities in those components.

What to Do

If you run Gravity SMTP, take these steps immediately:

1. To fix this particular vulnerability, be sure to update your plugin to the current stable release (version 2.1.5 or above).

2. Rotate credentials (including publicly accessible API keys or OAuth tokens used via Gravity SMTP), as those have likely been compromised at some time in the past. Create new credentials for everything using Gravity SMTP, and then set those new values back into your plugin.

3. Review your /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings  log files for requests to that URL.

4. If you received bad IP addresses as part of your requests, they indicate the site may have been hacked or compromised.

6. Monitor your email account for unauthorized access methods, including unusual emails sent from your domain.

The Known Malicious IPs

Block the following IP addresses at your firewall or via a security plugin:
45.148.10.95
193.32.162.60
176.65.148.139
173.199.90.188
45.148.10.120
185.8.107.155
185.8.106.37
185.8.106.92
185.8.106.145
176.65.148.30

Blocking these IPs will stop known exploit attempts. It will not protect you from other attackers who may use different IPs.

The Bigger Picture

The Gravity SMTP WordPress vulnerability is another example of how REST API endpoints can become a security liability. Permission callbacks that return true without authentication are a common coding mistake.

The exploit activity demonstrates how quickly attackers move to weaponize new vulnerabilities. The patch was released recently. Attackers were already active before the patch was widely deployed.

The Bottom Line

The Gravity SMTP WordPress vulnerability is actively exploited. Patch to version 2.1.5 immediately. Rotate all exposed credentials. Review your logs for evidence of compromise.

If your site runs Gravity SMTP and you have third-party email integrations configured, assume the worst. API keys are exposed. Attackers are scraping them.
Update. Rotate. Investigate. And do it now.

FAQ Section

What is CVE-2026-4020?

CVE-2026-4020 is a vulnerability in the Gravity SMTP for WordPress Plugin that can lead to a breach of private information, and it can be exploited without using valid authentication. CVE-2026-4020 can allow attackers that do not have valid accounts to gain access to sensitive information that is included in the System Report, which is accessible via Gravity SMTP Plugin System Report. This includes sensitive information such as API keys.

Which versions of Gravity SMTP are affected?

Any version preceding version 2.1.5 is affected. The vulnerability has been patched on version 2.1.5.

What is the mechanism of attack?

Using unauthenticated access, an attacker sends an unauthorized in HTTP GET request to /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings. The attacker will receive back the complete content of the System Report (including API keys, configuration data, etc.) that was returned.

What information is revealed?

A System Report may disclose the following information: Your PHP version, web server version, WordPress version, your active plugins, database information, and API keys/tokens for any third-party email services used (e.g., Amazon SES, Google, Mailjet, Resend, and Zoho) that may be exposed.

How many attempts to exploit have been recorded?

Wordfence has successfully blocked over 17,000,000 attempts to exploit this vulnerability.

What should I do if I've had my GravitySMTP issue compromised? 

Upgrade to version 2.1.5 right now and reset your exposed API keys / Oauth tokens. After that, start checking your logs for any requests that were made to the compromised endpoint.

Source: The Hacker News

 

Keywords
Share LinkedIn
YARA Rules: Malware Scanning Commands Tools

YARA Rules: Malware Scanning Commands

Jun 21, 2026
Gentlemen Ransomware EDR Killers Target Defenses Hacking

Gentlemen Ransomware EDR Killers Target Defenses

Jun 21, 2026
Kids' AI Homework: Hidden Data Privacy Risks Parents Face Awareness

Kids' AI Homework: Hidden Data Privacy Risks Parents Face

Apr 23, 2026
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

Website Recovery Malware removal & incident response
Penetration Testing Authorised attack simulation
Vulnerability Assessment Identify & prioritise weaknesses
Secure Web Development OWASP-aligned, pen tested
Red Teaming Advanced adversary simulation

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067

This website uses cookies to ensure you get the best experience on our website. We need your consent to show personalized or non-personalized ads, and to use cookies for analytics purposes. By clicking "Accept", you consent to the use of cookies and the collection of data as per our Privacy Policy.