Gravity SMTP Vulnerability Exploited to Steal WordPress API Keys

by Nam Phong · Published June 23, 2026 · Updated June 23, 2026

Gravity SMTP vulnerability CVE-2026-4020 exposing WordPress email API keys through an unauthenticated REST API endpoint

Sometimes a leak starts not with a hacked admin panel, but with an open service request. Attackers are using exactly that method against WordPress sites that run the Gravity SMTP plugin. The vulnerability, tracked as CVE-2026-4020, lets anyone pull sensitive data from the mail integration settings. No login is required.

What the Bug Exposes

The flaw affects Gravity SMTP, installed on roughly 100,000 sites. People use the plugin to send mail through third-party services. Those include Amazon SES, Google, Mailjet, Resend, and Zoho. Wordfence rates the issue 5.3 on the CVSS scale, a medium severity. Still, the real damage depends on which keys and tokens a given site stored in its settings.

How the Attack Works

The mechanism turned out to be simple. The plugin exposes a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data. That endpoint accepts requests from any visitor. Its permission check always returns true, so no authorization happens.

When a request adds the parameter ?page=gravitysmtp-settings, the server responds with a large JSON system report. That report can include the PHP, WordPress, and web server versions. It can also list active plugins, the theme, database details, and the credentials for connected mail services.

Why a “Medium” Bug Still Matters

This leak does not hand over direct control of the site. However, it makes the next attack much easier to prepare. The stolen API keys let an attacker send email in the site’s name through its mail services. On top of that, the detailed environment report helps map out follow-on steps.

Active Exploitation in the Wild

According to Wordfence, the firewall has blocked more than 17 million exploit attempts. The first activity appeared in early May 2026. A sharp rise began around June 6. The next day, requests passed 4 million in a single 24-hour period. The attackers simply sent HTTP GET requests to the exposed endpoint and received the data without any access check.

How to Protect Your Site

The developers fixed the flaw in Gravity SMTP 2.1.5. Site owners on a vulnerable version with connected mail services should act quickly. First, update the plugin. Then replace every API key and token configured in the connectors. Finally, review server logs for requests to that API endpoint, plus traffic from the IP addresses Wordfence published. If you ran a vulnerable version with live integrations, treat the credentials as already exposed.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal