Gravity SMTP Flaw Lets Attackers Steal Email Credentials from 100,000 WordPress Sites

WordPress site owners who rely on Gravity SMTP for email delivery are being urged to update immediately after researchers found an unauthenticated information disclosure bug that hands attackers live email credentials and system details. The flaw, tracked as CVE-2026-4020, affects all plugin versions up to 2.1.4 and is fixed in 2.1.5 released on March 17. Although rated medium severity, the bug is trivial to exploit and is already being used in active attacks that have generated tens of millions of exploit attempts.

How the Gravity SMTP flaw works and why it matters

The vulnerability resides in an exposed REST API endpoint in Gravity SMTP whose permission callback always returns true, allowing unauthenticated GET requests to retrieve a full JSON “System Report.” This report contains sensitive data including third-party email service credentials, software stack versions, plugin lists, and server configuration details. With these credentials, an attacker can impersonate the site and send phishing or spam emails, while the system report shortens the reconnaissance phase for follow-on attacks such as code execution or database theft. In practice, this turns a medium-severity rating into a high-impact incident because it removes the need for initial authentication and provides everything required for account takeover and lateral movement.

Security company Defiant reports its Wordfence firewall has blocked more than 17 million exploit attempts against protected customers, with a single-day spike of 4 million requests on June 7. The company also published a list of top source IP addresses that site administrators can add to blocklists. A reliable indicator of compromise is any request to the path /wp-json/gravitysmtp/v1/tests/mock-data in web server logs, especially when accompanied by the query parameter ?page=gravitysmtp-settings.

The real-world impact: email abuse, impersonation, and supply-chain risk

Once attackers obtain live SMTP credentials from the exposed report, they can send emails that appear to originate from the compromised domain, bypassing spam filters that trust the domain’s reputation. This is particularly damaging for businesses that rely on email for invoicing, support, or marketing, as recipients are more likely to open messages that appear legitimate. In addition, the system report reveals the exact versions of WordPress core, themes, and plugins, allowing attackers to target known vulnerabilities with precision. In one observed campaign, attackers used the leaked credentials to register new domains under the victim’s email, then sent phishing links to the site’s user base.

The supply-chain risk extends beyond the affected site: if an attacker uses the stolen credentials to send bulk spam or malware, the victim’s IP addresses and domains can be blacklisted by email providers and security services, harming the sender’s partners and customers. Small and medium businesses with limited monitoring resources are especially vulnerable because they may not notice unusual email volumes or login attempts until after damage has occurred.

Why a “medium” severity rating can still mean “critical” in practice

The CVE-2026-4020 vulnerability received a medium severity score primarily because it does not directly execute code on the server. However, in real-world risk assessments, severity is not just a number—it is a function of exploitability, impact, and asset value. Here, exploitability is trivial (no authentication required), impact is high (credential theft and system knowledge), and asset value is often significant (email is a primary communication channel for most organizations). The National Vulnerability Database’s CVSS vector reflects this tension: the absence of privileges required (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) means the attack surface is wide, even though confidentiality loss is the main consequence.

Compare this to a “critical” remote code execution flaw: both can be game-ending for a business, but the Gravity SMTP issue is easier to weaponize at scale. Attackers can automate exploitation with simple scripts that query the exposed endpoint and parse the JSON response for credentials, making it attractive for botnets and initial access brokers. Site owners who dismiss the medium rating because it lacks remote code execution may find themselves cleaning up email abuse or recovering from a compromised domain reputation weeks later.

Immediate actions for WordPress administrators

The fastest mitigation is to update Gravity SMTP to version 2.1.5 or later via the WordPress admin dashboard. If updating is not immediately possible, administrators should block all requests to /wp-json/gravitysmtp/v1/tests/mock-data at the web server or firewall level. Adding the published IP addresses to blocklists can reduce noise while updates are applied. After patching, review email service provider logs for unusual sending patterns, such as sudden spikes in outbound messages or new sender registrations tied to the site’s email addresses.

Next, rotate all SMTP credentials stored in the plugin, including API keys and SMTP passwords, and audit other integrations that share the same credentials. Because the system report may also contain WordPress admin usernames and database details, consider forcing a password reset for all users and rotating database credentials if they were exposed. Finally, enable multi-factor authentication for WordPress admin accounts and the email service itself to reduce the value of any future credential leaks.

Wider lessons: WordPress plugins as the new perimeter

Gravity SMTP is one of thousands of plugins that extend WordPress functionality, and each represents a potential attack surface. The pattern—an exposed API endpoint with weak permission checks—has recurred across popular plugins, from page builders to form processors. The recent advisory about a critical arbitrary file-deletion flaw in the Avada Builder plugin, used on one million sites, underscores the scale of exposure when plugins handle privileged operations without proper access controls.

For organizations running multiple WordPress sites, a plugin inventory and automated vulnerability scanning should be part of routine operations. Centralized logging and anomaly detection can surface unusual REST API calls or spikes in email activity before attackers weaponize the data. In addition, segmenting email service credentials—using dedicated API keys per site rather than shared accounts—limits blast radius when a single site is compromised.

What to watch next: exploit toolkits and follow-on attacks

Security researchers expect exploit toolkits to emerge that automate credential extraction and email abuse from the Gravity SMTP flaw. These kits may include scripts that parse the JSON report, extract SMTP hosts and ports, and generate phishing templates pre-loaded with the victim’s branding. Once attackers have a foothold via email, they often pivot to uploading web shells, stealing database contents, or redirecting visitors to malicious domains.

Defiant’s telemetry shows elevated exploit activity for several days after the initial spike, suggesting attackers are refining their approaches and sharing payloads. Site owners should monitor for secondary indicators such as new admin users, unfamiliar cron jobs, or unexpected file modifications in the uploads directory. Any of these could indicate that attackers have moved beyond credential theft to deeper compromise.

Long-term strategies for WordPress security

Beyond patching, organizations should adopt a layered defense. Use a web application firewall tuned for WordPress to block known malicious REST API paths and query parameters. Implement file integrity monitoring to detect unauthorized changes to plugin or theme files. Regularly audit user roles and remove unused accounts, especially those with administrator privileges. Finally, consider migrating critical email workflows to dedicated transactional email services that offer better credential isolation and abuse monitoring, reducing dependency on WordPress plugins for delivery.

The Gravity SMTP incident is a reminder that medium-severity does not mean low-risk. For WordPress sites handling business-critical communications, timely patching and proactive monitoring are the best defenses against credential theft and the cascading consequences that follow.