cbcvebase.
CVE-2026-4020
published 2026-03-31

CVE-2026-4020: The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API…

PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.70%
98.4th percentile
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.

Affected

1 ranges
VendorProductVersion rangeFixed in
rocketgeniusgravity_smtp<= 2.1.4

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings
ip45.148.10.95
ip193.32.162.60
ip176.65.148.139
ip173.199.90.188
ip45.148.10.120
ip185.8.107.155
ip185.8.106.37
ip185.8.106.92
ip185.8.106.145
ip176.65.148.30
othergravitysmtp_admin_config
othersystem_report_clipboard
yara
words: ["gravitysmtp_admin_config", "system_report_clipboard", "feature_flags"] in response body with HTTP 200 and Content-Type: application/json
  • Flag HTTP 200 JSON responses from /wp-json/gravitysmtp/v1/tests/mock-data containing the strings 'gravitysmtp_admin_config', 'system_report_clipboard', and 'feature_flags' simultaneously — these indicate successful data exfiltration.
  • Block or alert on requests originating from the listed attacker IP ranges (45.148.10.x, 185.8.106.x, 185.8.107.x, 176.65.148.x, 193.32.162.x, 173.199.90.x) targeting WordPress REST API endpoints.
  • Exploitation requires no authentication — any unauthenticated GET request to the endpoint is suspicious and should be alerted on for sites running Gravity SMTP <= 2.1.4.
  • Successful exploitation returns approximately 365 KB of JSON; anomalously large JSON responses from the gravitysmtp REST API endpoint are a strong indicator of successful data exposure.
  • ·The vulnerability only exposes API keys/tokens that have actually been configured in the plugin for third-party email integrations (Amazon SES, Google, Mailjet, Resend, Zoho); sites without configured integrations have reduced but non-zero exposure.
  • ·The register_connector_data() method is only triggered — and the full System Report only returned — when the ?page=gravitysmtp-settings query parameter is appended to the endpoint; requests without this parameter do not trigger the full data exposure.
  • ·Exploitation activity began in early May 2026 before the patch (version 2.1.5, released March 17) was widely adopted, meaning sites that updated promptly had a window of protection before mass exploitation began.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.