More than 17 million exploit attempts have targeted the Gravity SMTP vulnerability, an unauthenticated information disclosure flaw in a WordPress plugin active on 100,000 sites.
The bug, tracked as CVE-2026-4020, affects Gravity SMTP 2.1.4 and older and was fixed in version 2.1.5, released on March 17, according to BleepingComputer. WordPress security firm Defiant says attackers are actively exploiting it, while its Wordfence firewall has blocked the bulk exploitation wave against protected customers.
Hackers target Gravity SMTP vulnerability exposing WordPress site data
The Gravity SMTP vulnerability is rated medium severity, but the rating understates the operational risk for site owners. Attackers don’t need a WordPress account. They can send an unauthenticated GET request to an exposed REST API endpoint and receive a detailed plugin-generated System Report.
The vulnerable endpoint is:
/wp-json/gravitysmtp/v1/tests/mock-data
Researchers say requests are especially suspicious when they include:
?page=gravitysmtp-settings
That query parameter can trigger the plugin to return a large JSON report. Additional technical analysis cited in the source material says the response can be roughly 365 KB, depending on the site and plugin configuration.
The issue stems from a faulty permission_callback that always returns true. In practical terms, the endpoint treats unauthenticated visitors as if they’re allowed to see data that should be restricted.
The exposed information may include:
- API keys, secrets, and OAuth tokens for configured email integrations
- Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho
- WordPress configuration details, including installed plugins, themes, and software versions
- Server and PHP environment information
- Database configuration details, including server version and table names
Wordfence researchers warned that exposure of live third-party API credentials could let attackers abuse connected email services, while the detailed system report can lower the effort needed to plan further attacks against the site.
That’s the core danger. This isn’t just a leak of boring diagnostics. If live mail credentials are present, the attacker may be able to abuse legitimate email services tied to the victim’s site.
A public REST endpoint turns diagnostics into reconnaissance
Gravity SMTP helps WordPress sites send mail through external email providers. That means it often sits near sensitive configuration data for transactional messages, contact forms, account emails, and other site communications.
The vulnerable code path exposed a system report. For defenders, that report is a troubleshooting artifact. For attackers, it’s a map.
| Exposed data | Why it matters |
|---|---|
| Email API keys and OAuth tokens | May let attackers abuse connected sending services |
| SMTP or third-party mail credentials | Can expose the site’s sender infrastructure |
| Active plugins and versions | Helps attackers identify follow-on targets |
| PHP, server, and database details | Narrows reconnaissance for later attacks |
| Database table names | Gives attackers more context for site structure |
CVE-2026-4020 is classified as CWE-200, exposure of sensitive information to an unauthorized actor, according to the supplied technical context. The attack vector is network-based and requires no privileges or user interaction.
That matters because the vulnerable path is predictable. Attackers can scan for WordPress sites running Gravity SMTP and probe the endpoint directly. If the site is still on 2.1.4 or older, and the conditions are present, the endpoint can leak configuration data before the site owner sees any visible sign of compromise.
XOOMAR has tracked other security stories where exposed credentials or trusted software channels created outsized risk, including 74,000 Fortinet Logins Spill in FortiBleed Data Leak and Paid ShapedPlugin Updates Smuggle Malware Into WordPress. The common lesson for administrators is narrow but practical: secrets inside infrastructure tools should be treated as production assets, not settings-page clutter.
17 million blocked attempts put WordPress admins under pressure
Wordfence says exploitation activity spiked on June 7, when it blocked 4 million requests in a single day. Similar activity continued for several days afterward.
That scale points to automated exploitation, not one-off probing. The Gravity SMTP vulnerability is easy to test for, and the endpoint path gives defenders a clear log artifact to hunt.
Administrators should check web server access logs for requests to:
/wp-json/gravitysmtp/v1/tests/mock-data
Requests that also include ?page=gravitysmtp-settings deserve special attention. The source material identifies that pattern as a key indicator of compromise.
If suspicious requests appear, site owners should assume any data exposed through the Gravity SMTP system report may have been accessed. That means reviewing and rotating potentially exposed SMTP credentials, API keys, OAuth tokens, and related email-service secrets.
The immediate fix is clear: update Gravity SMTP to version 2.1.5 or later. Wordfence also listed prolific source IP addresses for exploit requests, which administrators can add to blocklists. But static IP blocking is not enough by itself, since the reliable detection signal is the endpoint path and request pattern.
Avada Builder warning shows WordPress plugin risk is stacking up
The Gravity SMTP campaign landed as Wordfence issued a separate advisory about CVE-2026-8713, a critical unauthenticated arbitrary file-deletion flaw in the Avada Builder WordPress plugin, used on one million sites.
That flaw is different. It involves a path traversal issue and can allow attackers to delete arbitrary files if a published Avada form is configured to save submissions to the database. Deleting critical files such as wp-config.php can revert a site to its initial setup state, potentially leading to full site takeover and remote code execution.
Wordfence says it has not observed active exploitation of CVE-2026-8713 yet. The recommended Avada Builder upgrade target is version 3.15.4.
For Gravity SMTP, the watch item is narrower and more urgent: whether the exploitation wave continues to find unpatched 2.1.4 and older installations. Admins should patch, inspect logs for the endpoint, and rotate exposed mail credentials where access is suspected. If attackers already pulled the system report, updating the plugin closes the hole, but it doesn’t make leaked secrets private again.
Impact Analysis
- Attackers can access sensitive WordPress and email integration data without logging in.
- More than 17 million exploit attempts show the bug is being targeted at scale.
- Site owners running Gravity SMTP 2.1.4 or older should update to 2.1.5 immediately.
Originally published on XOOMAR. For more news and analysis, visit XOOMAR.
