Security Advisory: Actively Exploited Flaw in the Gravity SMTP WordPress Plugin (CVE-2026-4020) — API Keys and Tokens Exposed to Anyone

Today’s security advisory concerns a vulnerability that was already fixed in the spring, yet whose impact is unfolding only now, because it has been exploited at scale since the beginning of June. The affected component is the Gravity SMTP WordPress plugin, which handles outgoing email through external services on around 100,000 sites. As in all of our posts, every statement has been checked against its underlying primary source, which is linked at the end.

CVE-2026-4020 — Unauthenticated Exposure of Sensitive Data in Gravity SMTP (high)

The Gravity SMTP plugin by RocketGenius contains a vulnerability in all versions up to and including 2.1.4 that allows confidential configuration data to be read without any login. The cause is an endpoint registered through the REST interface at /wp-json/gravitysmtp/v1/tests/mock-data whose permission check (permission_callback) is hard-wired to grant access to every caller instead of verifying anyone, leaving it open to any anonymous visitor. When the endpoint is called with the parameter ?page=gravitysmtp-settings, it returns a system report of around 365 kilobytes in JSON format that contains, among other things, the PHP and database versions, all active plugins with their version numbers, table names and — most sensitively — the API keys and OAuth tokens stored for the email integrations, for example for Amazon SES, Google, Mailjet, Resend and Zoho. An attacker can thus directly harvest these credentials and abuse them to send mail in someone else’s name or to access the connected services. The National Vulnerability Database carries the rating of 7.5 assigned by Wordfence, classifies the vulnerability as high and assigns it to weakness class CWE-200 (exposure of sensitive information). The flaw has been fixed since March 2026 in version 2.1.5.

Why this advisory comes now

Although the fix has been available for months, the vulnerability only became a widespread problem in June: according to Wordfence, more than 17 million exploitation attempts have been blocked to date, with the attacks beginning in early May and spiking around 6 June 2026 to temporarily more than four million requests per day. Sites that have not updated the plugin and still run a version up to 2.1.4 disclose their stored credentials in full upon such a request. Because the data is read out passively and without any trace in the login log, an exposure that has already taken place can scarcely be ruled out after the fact.

What you should do now

Update Gravity SMTP to version 2.1.5 or newer without delay. Anyone who ran a vulnerable version with configured email integrations should additionally assume a possible compromise and reissue all affected credentials — that is, rotate the API keys and OAuth tokens of the connected sending services — as well as review the server logs for calls to the endpoint named above. Simply applying the update does close the flaw, but it does not invalidate the credentials that may already have leaked beforehand.

Sources: National Vulnerability Database — CVE-2026-4020 · The Hacker News — Gravity SMTP

Not sure whether you’re affected? Get in touch.

---

This advisory is provided for security awareness. The official notices from the respective vendor and the sources linked above always take precedence.