CVE-2026-4020
published 2026-03-31CVE-2026-4020: The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API…
PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.70%
98.4th percentile
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocketgenius | gravity_smtp | <= 2.1.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
othergravitysmtp_admin_config
othersystem_report_clipboard
yara
words: ["gravitysmtp_admin_config", "system_report_clipboard", "feature_flags"] in response body with HTTP 200 and Content-Type: application/json
- →Flag HTTP 200 JSON responses from /wp-json/gravitysmtp/v1/tests/mock-data containing the strings 'gravitysmtp_admin_config', 'system_report_clipboard', and 'feature_flags' simultaneously — these indicate successful data exfiltration. ↗
- →Block or alert on requests originating from the listed attacker IP ranges (45.148.10.x, 185.8.106.x, 185.8.107.x, 176.65.148.x, 193.32.162.x, 173.199.90.x) targeting WordPress REST API endpoints. ↗
- →Exploitation requires no authentication — any unauthenticated GET request to the endpoint is suspicious and should be alerted on for sites running Gravity SMTP <= 2.1.4. ↗
- →Successful exploitation returns approximately 365 KB of JSON; anomalously large JSON responses from the gravitysmtp REST API endpoint are a strong indicator of successful data exposure. ↗
- ·The vulnerability only exposes API keys/tokens that have actually been configured in the plugin for third-party email integrations (Amazon SES, Google, Mailjet, Resend, Zoho); sites without configured integrations have reduced but non-zero exposure. ↗
- ·The register_connector_data() method is only triggered — and the full System Report only returned — when the ?page=gravitysmtp-settings query parameter is appended to the endpoint; requests without this parameter do not trigger the full data exposure. ↗
- ·Exploitation activity began in early May 2026 before the patch (version 2.1.5, released March 17) was widely adopted, meaning sites that updated promptly had a window of protection before mass exploitation began. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jxfc-8wcq-xxcg: The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2
ghsa_unreviewed·2026-03-31
CVE-2026-4020 [HIGH] CWE-200 GHSA-jxfc-8wcq-xxcg: The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress
VulnCheck
Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2026·CVSS 7.5
CVE-2026-4020 [HIGH] Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, docu
No detection rules found.
Nuclei
Gravity SMTP WordPress Plugin - Sensitive Information Exposure
nuclei·CVSS 7.5
CVE-2026-4020 [HIGH] Gravity SMTP WordPress Plugin - Sensitive Information Exposure
Gravity SMTP WordPress Plugin - Sensitive Information Exposure
Gravity SMTP WordPress plugin <= 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication.
Template:
id: CVE-2026-4020
info:
name: Gravity SMTP WordPress Plugin - Sensitive Information Exposure
author: theamanrawat
severity: high
description: |
Gravity SMTP WordPress plugin <= 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication.
impact: |
U
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Hackernews
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
blogs_hackernews·2026-06-20·CVSS 7.5
CVE-2026-4020 [HIGH] Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites.
The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens configured for the plugin's email integrations.
"This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that un
Bleepingcomputer
Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
blogs_bleepingcomputer·2026-06-19·CVSS 7.5
CVE-2026-4020 [HIGH] Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
## Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
## Bill Toulas
Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites.
The flaw is tracked as CVE-2026-4020 and received a medium severity rating. It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.
WordPress security company Defiant is warning that hackers are actively exploiting the vulnerability. The company's Wordfence firewall has blocked more than 17 million attempts against protected customers.
The issue stems from an exposed REST API endpoint in Gravity SMTP, whose ‘permission_callback’ always returns ‘true,’ allowing unauthenticated GET requests
Wiz
CVE-2026-4020 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4020 [CRITICAL] CVE-2026-4020 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4020 :
WordPress vulnerability analysis and mitigation
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server vers
https://docs.gravitysmtp.com/gravity-smtp-changelog/https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86https://www.gravityforms.com/gravity-smtp/https://www.wordfence.com/threat-intel/vulnerabilities/id/12a296db-ecc0-409b-8718-0c208504053a?source=cve
2026-03-31
Published
Exploited in the wild