TL;DR
Wordfence blocked 17M+ attempts to exploit a Gravity SMTP bug that leaks API keys and system data from WordPress sites without authentication.
Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that exposes API keys, OAuth tokens, and detailed system configuration data to anyone who sends a single unauthenticated HTTP request. Wordfence, the WordPress security firm owned by Defiant, says it has blocked more than 17 million exploit attempts targeting the flaw since activity began in early May 2026. The plugin is installed on approximately 100,000 WordPress sites.
The vulnerability, tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all versions of Gravity SMTP through 2.1.4. A patch was released in version 2.1.5 on 17 March 2026, but exploitation did not begin until roughly two months later, suggesting attackers reverse-engineered the fix or discovered the flaw independently after the patch drew attention to it.
The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback function that unconditionally returns true. That means no authentication check runs before the server processes the request. When an attacker appends the query parameter ?page=gravitysmtp-settings, the plugin’s register_connector_data() method populates internal connector data, and the endpoint returns approximately 365 KB of JSON containing the site’s full system report.
The exposed data includes API keys, secrets, and OAuth tokens for every email integration configured in the plugin. Gravity SMTP supports Amazon SES, Google, Mailjet, Resend, and Zoho, and credentials for any of these services appear in the response if they have been configured. An attacker who obtains those credentials can send email on behalf of the compromised site, a capability that is useful for phishing campaigns and business email compromise.
The system report also contains the WordPress version, PHP version and loaded extensions, the web server version, the document root path, the database server type and version, all active plugins with their version numbers, the active theme, and database table names. That information gives attackers a detailed map of the site’s software stack, significantly reducing the reconnaissance effort required to plan follow-on attacks against known vulnerabilities in specific plugin or server versions.
“The exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site,” Wordfence researchers wrote in their advisory.
Exploitation volume spiked sharply around 6 June 2026, with Wordfence blocking more than 4 million requests in a single day on 7 June. The attack traffic has originated primarily from a cluster of IP addresses that Wordfence published for administrators to add to blocklists. The key indicator of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in web server access logs, particularly those containing the ?page=gravitysmtp-settings query parameter.
CrowdSec, the open-source threat intelligence platform, independently corroborated the timeline. It deployed detection for CVE-2026-4020 on 22 May and observed the first real-world exploitation on 27 May. By 1 June, the activity had been classified as background noise, indicating it had been integrated into automated scanning routines that sweep WordPress sites at scale.
The speed at which exploitation was industrialised reflects a broader pattern in WordPress plugin security. The flaw requires no authentication, targets a widely installed plugin, and returns high-value data in a single GET request, making it trivial to automate. WordPress’s plugin ecosystem has faced repeated supply chain compromises in 2026, including an attack in which 30 plugins purchased on Flippa were backdoored and lay dormant for eight months before activation.
The Gravity SMTP vulnerability is distinct from those supply chain attacks in that it does not involve malicious code injected by a compromised developer. It is a straightforward coding error, a permission callback that should have verified the requesting user’s credentials but instead returned true for every request. The simplicity of the flaw makes its survival through development, review, and release notable.
The exposure of API credentials is particularly dangerous because those credentials often persist even after the plugin is updated. Updating to version 2.1.5 closes the vulnerable endpoint, but it does not revoke or rotate the API keys that may have already been harvested. Credential theft through software flaws is an accelerating problem across the industry, with recent research showing that exposed API credentials are exploited within minutes of discovery.
Wordfence’s advisory urges site owners running a vulnerable version of Gravity SMTP who have configured third-party email integrations to assume compromise. The recommended remediation is to update the plugin to version 2.1.5 or later, then immediately rotate all API keys, secrets, and OAuth tokens configured in the plugin’s email connectors. Administrators should also review server log files for requests from the published attacker IP addresses.
The CVE was published on 31 March 2026, two weeks after the patch shipped. Despite the three-month window between patch availability and peak exploitation, many sites remain vulnerable. The gap between when patches become available and when organisations deploy them is one of the most persistent problems in software security, and WordPress plugins are especially prone to it because many site operators do not monitor plugin changelogs or enable automatic updates.
Wordfence also issued a separate advisory this week for CVE-2026-8713, a critical unauthenticated arbitrary file-deletion vulnerability in the Avada Builder plugin, which is installed on approximately one million WordPress sites. That flaw allows attackers to delete files on the server through a path traversal bug, and deleting wp-config.php can revert a site to its initial setup state, potentially enabling a full takeover.
A patch for the Avada Builder flaw is available in version 3.15.4, and no active exploitation of CVE-2026-8713 has been observed yet.
Wordfence did not attribute the Gravity SMTP exploitation to a specific threat actor or group. The pattern of mass scanning from a small cluster of IP addresses is consistent with opportunistic credential harvesting rather than targeted intrusion, though the stolen credentials could be sold or shared with more sophisticated operators for follow-on attacks.
