Posted in

Gravity SMTP Vulnerability Actively Exploited: 100,000+ WordPress Sites at Risk

A recently patched security flaw in the popular Gravity SMTP WordPress plugin is actively being exploited by threat actors, putting thousands of websites at risk of data exposure and potential account compromise.

The vulnerability, identified as CVE-2026-4020, affects Gravity SMTP installations and could allow attackers to access sensitive configuration information without authentication. The plugin is currently installed on more than 100,000 WordPress websites, making it an attractive target for cybercriminals.

What Is CVE-2026-4020?

CVE-2026-4020 is an information disclosure vulnerability with a CVSS score of 5.3 (Medium Severity). The flaw exists due to an improperly secured REST API endpoint that can be accessed by anyone without logging in.

The vulnerable endpoint allows attackers to retrieve detailed system information when a specific query parameter is added to the request. This can expose sensitive data that should never be publicly accessible.

Information Potentially Exposed

Successful exploitation of the vulnerability may reveal critical system and configuration details, including:

  • PHP version and loaded extensions
  • Web server version
  • Document root path
  • Database server type and version
  • WordPress version
  • List of active plugins and their versions
  • Active WordPress theme
  • WordPress configuration details
  • Database table names
  • Email service API keys and authentication tokens

Affected third-party email integrations may include:

  • Amazon SES
  • Google Email Services
  • Mailjet
  • Resend
  • Zoho Mail

Why This Vulnerability Is Dangerous

While the flaw does not directly provide remote code execution, the exposure of sensitive credentials significantly increases security risks.

Attackers who obtain API keys or OAuth tokens could:

  • Send emails using the victim website’s email services
  • Abuse third-party email accounts
  • Gather intelligence about the website’s infrastructure
  • Identify outdated software components
  • Launch targeted follow-up attacks based on exposed system details

Security researchers warn that the detailed system report generated by the plugin provides attackers with valuable reconnaissance information that can simplify future exploitation attempts.

Active Exploitation Detected

Cybersecurity researchers have confirmed that attackers are actively scanning the internet for vulnerable Gravity SMTP installations.

The attacks involve sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint while appending the ?page=gravitysmtp-settings parameter. If successful, the server returns a large JSON response containing sensitive system information.

According to security monitoring data, more than 17 million exploitation attempts have already been blocked. Attack activity reportedly began in early May 2026 and surged dramatically in June, reaching over 4 million requests in a single day.

Known Malicious IP Addresses

Researchers have observed exploitation attempts originating from the following IP addresses:

  • 45.148.10.95
  • 193.32.162.60
  • 176.65.148.139
  • 173.199.90.188
  • 45.148.10.120
  • 185.8.107.155
  • 185.8.106.37
  • 185.8.106.92
  • 185.8.106.145
  • 176.65.148.30

Website administrators should review server logs for requests from these IP addresses and investigate any suspicious activity related to the Gravity SMTP API endpoint.

How to Protect Your WordPress Site

If your website uses Gravity SMTP, immediate action is recommended:

1. Update Gravity SMTP Immediately

Upgrade to Gravity SMTP version 2.1.5 or later, which contains the security fix for CVE-2026-4020.

2. Rotate Exposed Credentials

If you have configured email service integrations, assume that API credentials may have been exposed and rotate them immediately.

3. Review Server Logs

Check access logs for suspicious requests targeting the vulnerable endpoint, especially from the IP addresses listed above.

4. Monitor Email Activity

Review email service dashboards for unusual sending patterns, unauthorized access, or unexpected API usage.

5. Conduct a Security Audit

Perform a full security review of your WordPress installation to identify any indicators of compromise or unauthorized changes.

Final Thoughts

The active exploitation of CVE-2026-4020 highlights the importance of keeping WordPress plugins updated and monitoring security advisories closely. Even medium-severity vulnerabilities can have serious consequences when they expose sensitive credentials and infrastructure information.

Website owners using Gravity SMTP should update immediately, rotate any configured API keys, and investigate their logs for signs of unauthorized access.

Leave a Reply

Your email address will not be published. Required fields are marked *