Hackers exploit info disclosure bug in Gravity SMTP plugin

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is installed on more than 100,000 sites.

Wordfence has blocked over 17 million exploit attempts. The security firm reports that exploitation spiked on June 7 with more than 4 million requests blocked that day, followed by sustained high volume through June 11. CrowdSec first observed in-the-wild activity on May 27 and recorded 412 distinct attacking IP addresses by June 1, after which the attempts became background noise.

The vulnerability is tracked as CVE-2026-4020 with a CVSS score of 5.3. It affects all versions of Gravity SMTP from 2.1.4 and earlier. The patch arrived in version 2.1.5, released on March 17, with public disclosure following on March 30.

The flaw exposes a REST API endpoint without authentication. The endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, often including the ?page=gravitysmtp-settings query parameter, returns a roughly 365 KB JSON system report because its permission_callback always returns true. Administrators should monitor web server access logs for these requests and block the most prolific source IP addresses listed by Wordfence.

The exposed report contains API keys, secrets, and OAuth tokens for configured email integrations. It also includes credentials for third-party services such as Amazon SES, Google, Mailjet, Resend, and Zoho. Additional details cover installed plugins and themes, software versions, server and PHP environment data, database configuration including server version and table names, PHP extensions, and the document root.

Exposed credentials enable impersonation and further attacks. Researchers warn that attackers can abuse the site's connected email services using live third-party API credentials. The detailed system report also lowers the effort required to plan subsequent attacks by revealing the site's software stack and potential vulnerabilities. Wordfence researcher Osvaldo Noe Gonzalez Del Rio contributed to the analysis.

Website administrators running vulnerable versions should update to 2.1.5 immediately. Blocking known malicious IPs and searching logs for the specific endpoint serve as key indicators of compromise. The incident follows Wordfence's separate advisory on June 18 on a critical unauthenticated arbitrary file-deletion flaw in the Avada Builder plugin, used on one million sites.