Attackers are actively and indiscriminately exploiting CVE-2026-4020, an unauthenticated information-disclosure flaw in the Gravity SMTP WordPress plugin, to siphon site configuration and — more damagingly — the API keys and tokens for whatever third-party email provider the site has wired up. Wordfence says it has already blocked more than 17 million exploit attempts against the bug. The vendor patch shipped in version 2.1.5; if you run this plugin, treat the credentials it stored as already burned.

What happened

Gravity SMTP routes WordPress’s outbound mail through external delivery services — Amazon SES, Google, Mailjet, Resend, Zoho, and similar — and stores the provider’s API keys or tokens in the site so it can authenticate to them. CVE-2026-4020 turns that convenience into a credential dump.

The plugin registers a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data with a broken permission check. When the ?page=gravitysmtp-settings query parameter is appended, the endpoint returns the plugin’s connector configuration to any unauthenticated visitor. No login, no nonce, no admin role required — a single crafted GET/POST is enough.

Technical details

CVE-2026-4020 carries a CVSS score of 5.3 (medium), but that number badly undersells the operational impact: leaked SES/SMTP credentials are ready-to-use sending infrastructure, not just an info leak. According to the advisory, an unauthenticated attacker can pull a wide range of data from a vulnerable site, including:

  • PHP version and all loaded extensions
  • Web server version and document root path
  • Database server type, version, and table names
  • WordPress version and wp-config configuration details
  • Every active plugin (with versions) and the active theme
  • API keys and tokens for configured email providers — Amazon SES, Google, Mailjet, Resend, Zoho, and others

The plugin/version inventory alone is a tidy reconnaissance map for follow-on attacks. The email credentials are the real prize.

Impact assessment

Harvested provider keys let an attacker send mail as the victim from a reputable, well-warmed cloud sender. That means spam, phishing, and BEC campaigns launched on the victim’s dime and the victim’s sender reputation — torching deliverability, blowing through sending quotas, and potentially running up a cloud bill before anyone notices. Because the leak also exposes the full plugin and version list, expect opportunistic chaining against any other outdated component on the box.

Wordfence reports the campaign is broad and automated, with attempts climbing since disclosure. Observed attacker IPs include:

1
2
3

45.148.10.95     193.32.162.60    176.65.148.139   173.199.90.188
45.148.10.120    185.8.107.155    185.8.106.37     185.8.106.92
185.8.106.145    176.65.148.30

What to do right now

  1. Update Gravity SMTP to 2.1.5 immediately. This is the fix; everything else is containment.
  2. Assume your provider keys leaked. If you ran a vulnerable version with any third-party email provider configured, rotate and revoke every API key/token — SES, Google, Mailjet, Resend, Zoho, the lot — from the provider side.
  3. Hunt for abuse. Review your email provider’s send logs, SES sending statistics, bounce/complaint rates, and any new IAM credentials or sending identities you didn’t create.
  4. Block the IOCs above at your WAF or edge, and confirm virtual-patching rules are enabled (Wordfence shipped signatures), but don’t treat the WAF as a substitute for updating.
  5. Audit the WordPress install for unexpected admin users, plugins, or scheduled tasks dropped during the exposure window.

Medium severity or not, this is a live, large-scale credential-harvesting campaign against a plugin whose entire job is to hold cloud email secrets. Patch, rotate, and check your sending logs today.

Sources