A recently patched security flaw in the popular Gravity SMTP WordPress plugin is actively being exploited by threat actors, putting thousands of websites at risk of data exposure and potential account compromise.
The vulnerability, identified as CVE-2026-4020, affects Gravity SMTP installations and could allow attackers to access sensitive configuration information without authentication. The plugin is currently installed on more than 100,000 WordPress websites, making it an attractive target for cybercriminals.
What Is CVE-2026-4020?
CVE-2026-4020 is an information disclosure vulnerability with a CVSS score of 5.3 (Medium Severity). The flaw exists due to an improperly secured REST API endpoint that can be accessed by anyone without logging in.
The vulnerable endpoint allows attackers to retrieve detailed system information when a specific query parameter is added to the request. This can expose sensitive data that should never be publicly accessible.
Information Potentially Exposed
Successful exploitation of the vulnerability may reveal critical system and configuration details, including:
- PHP version and loaded extensions
- Web server version
- Document root path
- Database server type and version
- WordPress version
- List of active plugins and their versions
- Active WordPress theme
- WordPress configuration details
- Database table names
- Email service API keys and authentication tokens
Affected third-party email integrations may include:
- Amazon SES
- Google Email Services
- Mailjet
- Resend
- Zoho Mail
Why This Vulnerability Is Dangerous
While the flaw does not directly provide remote code execution, the exposure of sensitive credentials significantly increases security risks.
Attackers who obtain API keys or OAuth tokens could:
- Send emails using the victim website’s email services
- Abuse third-party email accounts
- Gather intelligence about the website’s infrastructure
- Identify outdated software components
- Launch targeted follow-up attacks based on exposed system details
Security researchers warn that the detailed system report generated by the plugin provides attackers with valuable reconnaissance information that can simplify future exploitation attempts.
Active Exploitation Detected
Cybersecurity researchers have confirmed that attackers are actively scanning the internet for vulnerable Gravity SMTP installations.
The attacks involve sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint while appending the ?page=gravitysmtp-settings parameter. If successful, the server returns a large JSON response containing sensitive system information.
According to security monitoring data, more than 17 million exploitation attempts have already been blocked. Attack activity reportedly began in early May 2026 and surged dramatically in June, reaching over 4 million requests in a single day.
Known Malicious IP Addresses
Researchers have observed exploitation attempts originating from the following IP addresses:
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Website administrators should review server logs for requests from these IP addresses and investigate any suspicious activity related to the Gravity SMTP API endpoint.
How to Protect Your WordPress Site
If your website uses Gravity SMTP, immediate action is recommended:
1. Update Gravity SMTP Immediately
Upgrade to Gravity SMTP version 2.1.5 or later, which contains the security fix for CVE-2026-4020.
2. Rotate Exposed Credentials
If you have configured email service integrations, assume that API credentials may have been exposed and rotate them immediately.
3. Review Server Logs
Check access logs for suspicious requests targeting the vulnerable endpoint, especially from the IP addresses listed above.
4. Monitor Email Activity
Review email service dashboards for unusual sending patterns, unauthorized access, or unexpected API usage.
5. Conduct a Security Audit
Perform a full security review of your WordPress installation to identify any indicators of compromise or unauthorized changes.
Final Thoughts
The active exploitation of CVE-2026-4020 highlights the importance of keeping WordPress plugins updated and monitoring security advisories closely. Even medium-severity vulnerabilities can have serious consequences when they expose sensitive credentials and infrastructure information.
Website owners using Gravity SMTP should update immediately, rotate any configured API keys, and investigate their logs for signs of unauthorized access.
