Hackers Exploit Gravity SMTP Flaw to Steal API Keys from WordPress Sites

Threat actors are actively exploiting a recently patched information disclosure vulnerability in the Gravity SMTP WordPress plugin, installed on roughly 100,000 websites. Tracked as CVE-2026-4020 with a CVSS score of 5.3, the medium-severity flaw stems from a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback unconditionally returns true. According to Wordfence, appending the ?page=gravitysmtp-settings query parameter triggers the plugin's register_connector_data() method to populate internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report to any unauthenticated visitor.

The leaked data is extensive and dangerously sensitive, including the site's PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and critically, API keys and tokens configured for email integrations such as Amazon SES, Google, Mailjet, Resend, and Zoho. Attackers can weaponize these exposed third-party email credentials to send email on behalf of compromised sites, while the detailed system report significantly lowers the effort required to plan targeted follow-on intrusions. Site administrators who suspect credential exposure should immediately run their email accounts through an email breach checker and rotate every API key stored in the plugin.

Exploitation began in early May 2026 and escalated sharply around June 6, 2026, with daily spikes exceeding 4 million requests. Wordfence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date, originating from IP addresses including 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30. The vendor shipped a fix in Gravity SMTP version 2.1.5, and operators running any earlier version should treat their connected third-party email credentials as compromised. After updating to the patched release, administrators should rotate all stored API keys and OAuth tokens, audit email send logs for unauthorized activity, and validate that newly generated secrets meet strong standards using a password checker. A broader privacy checkup of the site's external footprint is also recommended to identify any additional exposure created during the exploitation window.