TL;DR
Wordfence has blocked more than 17 million attempts to exploit the Gravity SMTP bug, which leaks API keys and system data from WordPress sites without authentication.
Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin Provides API keys, OAuth tokens, and detailed system configuration information to anyone who sends a single unauthenticated HTTP request. Defiant-owned WordPress security firm Wordfence says it has blocked more than 17 million exploit attempts targeting the flaw since it launched in early May 2026. The plugin is installed on nearly 100,000 WordPress sites.
Tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, the vulnerability affects all versions of Gravity SMTP since 2.1.4. A patch for version 2.1.5 was released on March 17, 2026, but exploitation began approximately two months later, suggesting that attackers either backfired the fix or discovered the flaw independently after the patch gained attention.
The root cause is the REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data , which is provided with a permission_callback function that returns true unconditionally. This means that no authentication is performed before the server processes the request. When an attacker adds the ?page=gravitysmtp-settings request parameter, the plugin’s register_connector_data() method populates its internal connector data and the endpoint returns about 365 KB of JSON containing the site’s full system report.
The information that is revealed includes API keys, secrets, and OAuth tokens for each email integration configured in the plugin. Gravity SMTP supports Amazon SES, Google, Mailjet, Resend, and Zoho, and if credentials for any of these services are configured, they appear in the response. An attacker who obtains those credentials can send email on behalf of a stolen site, which is useful for phishing campaigns and business email compromises.
The system report also contains WordPress version, PHP version and installed extensions, web server version, document root path, database server type and version, all active plugins with version numbers, active theme and database table names. This information gives attackers a detailed map of a site’s software stack, significantly reducing the intelligence effort required to plan subsequent attacks against known vulnerabilities in specific plugin or server versions.
“Exposing live third-party API credentials means an attacker can abuse a site’s associated email services, while detailed system reporting significantly reduces the effort required to plan subsequent attacks against the site.” Wordfence researchers wrote in their recommendation.
Exploitation volume increased dramatically on June 6, 2026, with Wordfence blocking more than 4 million requests in a single day on June 7. The attack traffic primarily originated from a pool of IP addresses that Wordfence publishes for administrators to add to their blocklists. A key indicator of compromise is /wp-json/gravitysmtp/v1/tests/mock-data requests in web server access logs, especially those containing the ?page=gravitysmtp-settings request parameter.
CrowdSec, an open-source threat intelligence platform, independently verified the timeline. It deployed a detection for CVE-2026-4020 on May 22 and observed the first real-world exploit on May 27. Until June 1st, the activity was classified as background noise, indicating that it was integrated into the automated scanning routines that sweep WordPress sites on a large scale.
The industrialization rate of exploitation reflects a broader pattern in WordPress plugin security. The flaw requires no authentication, targets a widely installed plugin, and returns high-value data in a single GET request, making it pointless to automate. WordPress’ plugin ecosystem has faced repeated supply chain compromises An attack in 2026, including 30 plugins purchased on Flippa, were backdoored and left dormant for eight months before being activated.
The Gravity SMTP vulnerability differs from supply chain attacks in that it does not involve malicious code injected by a compromised developer. This is a simple coding error, an authorization callback that should validate the credentials of the requesting user, but returns true for every request. The simplicity of the flaw makes it remarkable that it survived through development, review, and release.
Exposing API credentials is especially dangerous because these credentials persist even after the plugin is updated. The update to version 2.1.5 closes the vulnerable endpoint, but it does not invalidate or rollback any API keys that may have already been collected. Credential theft through software flaws is an accelerating problem in the industry, with recent studies showing that exposed API credentials are used within minutes of discovery.
Wordfence’s advisory urges site owners running a vulnerable version of Gravity SMTP who configure third-party email integrations to compromise. The recommended fix is to update the plugin to version 2.1.5 or later, then immediately convert all API keys, secrets, and OAuth tokens configured in the plugin’s email connectors. Administrators should also review server log files for requests from published attacker IP addresses.
The CVE was published on March 31, 2026, two weeks after the patch was shipped. Despite the three-month window between patch availability and peak exploitation, many sites remain vulnerable. The gap between when patches are available and when organizations deploy them is one of the most persistent problems in software security, and WordPress plugins are particularly prone to it, as many site operators do not monitor plugin changes or enable automatic updates.
Wordfence also issued a separate advisory this week for CVE-2026-8713, a critical, unconfirmed arbitrary file deletion vulnerability in the Avada Builder plugin installed on nearly one million WordPress sites. This flaw allows attackers to delete files on the server via a routing error, and deleting wp-config.php could return the site to its original installation state, potentially allowing a full takeover.
A patch for the Avada Builder flaw is available in version 3.15.4, and no active exploitation of CVE-2026-8713 has yet been observed.
Wordfence has not attributed the Gravity SMTP exploit to a specific threat actor or group. A mass scan pattern from a small cluster of IP addresses is more amenable to opportunistic credential harvesting than targeted intrusion, although stolen credentials can be traded or shared with more sophisticated operators for further attacks.
