Gravity SMTP Flaw Lets Attackers Steal API Keys From 100,000 WordPress Sites

Gravity SMTP flaw explained: what attackers can steal and how

A recently patched vulnerability in Gravity SMTP, a WordPress plugin used on roughly 100,000 sites, allows unauthenticated attackers to retrieve sensitive configuration data, API keys, secrets, and OAuth tokens that the plugin uses to send email. The issue is tracked as CVE-2026-4020 with a CVSS score of 5.3, placing it in the medium-severity range. The exposure stems from a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data that unconditionally permits public access because its permission callback always returns true. When attackers append the query string ?page=gravitysmtp-settings to that endpoint, the plugin’s internal connector data is populated and the endpoint returns about 365 KB of JSON containing the full system report.

An attacker can weaponize this information in several ways. First, if the exposed data includes live third-party API credentials, the attacker can use those to send email on behalf of the site or to interact with the email service provider’s APIs. Second, the detailed system report reveals extensive details about the site’s software stack, including WordPress version, active plugins and themes, PHP settings, and server environment. This reconnaissance lowers the effort required to plan follow-on attacks such as privilege escalation, plugin exploitation, or server compromise. In short, the flaw turns a single unauthenticated HTTP GET request into a potential beachhead for further compromise.

Why the flaw matters beyond Gravity SMTP

Although this vulnerability is specific to Gravity SMTP, it illustrates a broader class of risks that arise when WordPress plugins expose REST API endpoints without proper access controls. The root cause—an endpoint with a permission callback that always returns true—is a common anti-pattern that can inadvertently grant public access to sensitive processing logic or diagnostic data. WordPress core and many plugin authors have moved toward capability-based checks or nonce verification for REST endpoints, but legacy or less scrutinized plugins can still harbor similar issues.

The scale of exposure is significant: 100,000 active installations represent a large, decentralized attack surface. Even if only a fraction of those sites have configured third-party email integrations, each exposed API key or OAuth token becomes a potential entry point for phishing, spam, or account takeover campaigns against the email service provider. Site owners therefore need to treat this flaw not just as a plugin issue, but as a potential credential-reuse risk that could affect other systems if the same keys or tokens are used elsewhere.

Attackers already weaponizing the flaw at scale

Threat actors began probing for CVE-2026-4020 shortly after public disclosure, with Wordfence reporting over 17 million exploit attempts to date. Initial scanning activity started in early May 2026, followed by a sharp spike around June 6, 2026 that peaked at more than four million requests in a single day. The rapid escalation reflects both the ease of exploitation and the widespread availability of automated exploit scripts that append the vulnerable query parameter to the REST endpoint.

The geographic distribution of attack sources is consistent with opportunistic botnets scanning for WordPress vulnerabilities. While the specific IP addresses are not disclosed here, such campaigns typically originate from hosting providers and compromised devices across multiple continents. Because the exploit requires only a single unauthenticated GET request, attackers can quickly enumerate vulnerable sites and then pivot to credential harvesting or further reconnaissance. The volume of requests also suggests that some actors are using this flaw as a discovery mechanism to identify sites that use Gravity SMTP before launching more targeted attacks.

What site owners should do immediately

Site owners running Gravity SMTP must first determine whether their installation is vulnerable. The flaw was patched in version 2.1.5, so any site still running 2.1.4 or earlier is at risk. The fastest way to check is to inspect the plugin’s version in the WordPress admin dashboard under Plugins. If the site is vulnerable, the next step is to upgrade to 2.1.5 or later immediately. Upgrading should be treated as urgent because exploit traffic has already reached millions of requests per day.

After upgrading, site owners should rotate any credentials that Gravity SMTP uses to connect to third-party email services. This includes SMTP credentials, API keys for transactional email providers, and OAuth tokens for services like SendGrid, Mailgun, Amazon SES, or custom webhook endpoints. Because the exposed data can include OAuth tokens, revoking and reissuing tokens is critical to prevent continued unauthorized access. Owners should also review logs for signs of unusual email activity or outbound connections that could indicate prior compromise.

How to harden WordPress REST APIs against similar flaws

This incident highlights the need for stricter access controls on WordPress REST endpoints. Site owners can reduce exposure by auditing plugins that register custom REST routes and verifying that every endpoint enforces capability checks, nonce validation, or user authentication as appropriate. Plugins that expose diagnostic or mock-data endpoints should restrict those endpoints to administrators or trusted roles only. A simple test is to attempt to access the endpoint while logged out; if the request succeeds, the endpoint is likely misconfigured.

Developers maintaining plugins should adopt a default-deny posture for REST endpoints and explicitly declare required capabilities or user roles. WordPress core’s REST API guidelines recommend using the rest_authentication_errors filter for custom permission callbacks and avoiding hardcoded true returns. Plugin directories can also introduce automated security scanning to flag endpoints that expose sensitive data without proper authorization. For site owners, keeping plugins updated and minimizing the number of active plugins reduces the attack surface and limits the blast radius of future flaws.

The broader risk to email integrations and credentials

The Gravity SMTP flaw underscores a recurring pattern in WordPress compromises: exposed credentials from one system are reused elsewhere. Transactional email providers, marketing automation tools, and customer relationship platforms often accept API keys or OAuth tokens that grant broad permissions. When those tokens are leaked, attackers can send phishing emails that appear to originate from the victim site, abuse the email service’s sending quotas, or pivot to account takeover if the same credentials protect other services.

Site owners should therefore treat API keys and OAuth tokens as highly sensitive secrets and apply the same lifecycle management used for database passwords or admin credentials. This means rotating keys when a plugin is updated, scoping permissions to the minimum required, and monitoring for anomalous email volume or delivery failures. Email service providers can also help by offering token-revocation APIs and rate-limiting controls that detect sudden spikes in send volume from a single key.

What to watch next: patching, exploit kits, and follow-on attacks

With exploit traffic already in the millions, the next phase is likely to see the emergence of exploit kits that bundle this vulnerability with other WordPress flaws for fully automated compromise. Security vendors typically release detections within hours of public disclosure, but attackers can repurpose open-source proof-of-concept code to build new bots that chain this flaw with privilege-escalation or file-upload vulnerabilities in other plugins.

Site owners should monitor their email service provider dashboards for unusual activity such as unexpected bounces, spam complaints, or sudden increases in sent messages. Any sign of unauthorized email activity should trigger an immediate credential rotation and a review of the site’s user accounts for signs of compromise. Hosting providers and security plugins may also release additional hardening guidance or firewall rules that can mitigate exploitation attempts while patches are being applied.

Practical checklist for site owners and developers

• Verify Gravity SMTP version; upgrade to 2.1.5 or later if running an older version.
• Rotate all API keys, OAuth tokens, and SMTP credentials used by Gravity SMTP.
• Review email service provider logs for unauthorized send activity.
• Audit other plugins for similar REST endpoint misconfigurations.
• Enforce capability-based checks on custom REST endpoints.
• Monitor incoming exploit attempts by inspecting server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data.
• Consider enabling a web application firewall with WordPress-specific rules to block exploit patterns.
• Document credential rotation procedures for future plugin updates.

In summary, CVE-2026-4020 demonstrates how a medium-severity information disclosure flaw in a widely used WordPress plugin can expose credentials and system details at scale. Attackers have already automated exploitation, underscoring the need for rapid patching and credential rotation. Site owners who act quickly can close the immediate risk and reduce the likelihood of follow-on attacks that leverage exposed secrets or reconnaissance data.