Do Son 
- CVE: CVE-2026-4020
- CVSS: 7.5 (High)
- Product: RocketGenius Gravity SMTP
- Affected: β€ 2.1.4
- Impact: <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API
- Status: ACTIVE
- EPSS: 13.5% (30-day)
- Action: Update Gravity SMTP to version 2.1.5
A critical Gravity SMTP vulnerability is currently facing active exploitation in the wild. Consequently, WordPress site administrators must take immediate action. This popular plugin currently boasts an estimated 100,000 active installations worldwide. Furthermore, security experts disclosed this Sensitive Information Exposure flaw on March 30th, 2026. Therefore, thousands of websites remain at high risk of credential theft. Specifically, unauthenticated attackers can easily retrieve detailed system configuration data.
Unpacking CVE-2026-4020
This specific flaw is tracked officially as CVE-2026-4020. Interestingly, it carries a high CVSS score of 7.5, but the real-world impact is devastating. The issue stems from a flawed REST API endpoint registered at the mock-data path. Unfortunately, this specific endpoint features a permission callback that unconditionally returns true. As a result, any unauthenticated visitor can access it freely without bypassing security layers. In fact, official reports state, “The Wordfence Firewall has already blocked over 17 million exploit attempts targeting this vulnerability.”
The Mechanics of the Exploit
Exploitation of this Gravity SMTP vulnerability is surprisingly simple. First, an attacker appends the settings query parameter to the vulnerable endpoint. Next, the plugin’s internal methods populate connector data automatically. Consequently, the endpoint returns approximately 365 KB of JSON data. This massive file contains the full System Report of the WordPress site. Moreover, the detailed report exposes the PHP version, database server type, and all active plugins.
Severe Data Exposure Risks
The true danger lies in the exposure of live third-party API credentials. Specifically, the leaked System Report contains highly sensitive authentication details. As the researcher clearly warns, “Most critically, the report also includes the API keys, secrets, and OAuth tokens configured for the plugin’s email delivery integrations.” Therefore, attackers can steal credentials for services like Amazon SES, Google, and Mailjet. Furthermore, malicious actors can abuse these connected email services to launch massive spam or phishing campaigns. Additionally, the detailed system report significantly lowers the effort required to plan further targeted attacks against the site.
Massive Attack Volume
Threat actors are aggressively scanning for this Gravity SMTP vulnerability. According to network traffic data, exploitation ramped up dramatically in early June. Specifically, the single largest attack spike occurred on June 7th, 2026. During this single 24-hour window, security firewalls blocked over 4 million individual exploit attempts. Furthermore, several malicious IP addresses drive the vast majority of these automated attacks. For example, the IP address 45.148.10.95 alone generated over 642,000 malicious requests. Similarly, another hostile IP, 193.32.162.60, accounted for over 586,000 blocked exploit attempts. Therefore, administrators should proactively block these known bad actors at the network edge.
Immediate Action and Remediation
Site owners must act quickly to prevent a devastating organizational data breach. First, you should immediately update your installation to the fully patched version of Gravity SMTP, which is version 2.1.5. Next, you must assume your API keys are already compromised if you previously ran any vulnerable version. Consequently, we strongly recommend rotating all email integration credentials across all connected platforms immediately. Furthermore, administrators should carefully review their web server access logs. Specifically, look for any suspicious GET requests targeting the mock-data endpoint. Ultimately, proactive credential rotation and rapid patching remain your best defense against this ongoing threat.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
