CVE-2026-4020: Gravity SMTP Info Disclosure Hits 100K Sites

CVE-2026-4020 is an unauthenticated information disclosure flaw in the Gravity SMTP WordPress plugin, rated CVSS 5.3 (Medium). As BleepingComputer reports, threat actors are actively exploiting it against unpatched sites. The "medium" severity label undersells the real-world risk - exposed API keys can unlock connected services far beyond the plugin itself.

The root cause is a misconfigured REST API endpoint. The endpoint /wp-json/gravitysmtp/v1/tests/mock-data carries a permission_callback that unconditionally returns true. No authentication. No nonce check. Any visitor qualifies. This mirrors a pattern Patchstack flagged in its 2026 WordPress Security report: 57% of WordPress vulnerabilities discovered in H1 2025 required no authentication to exploit.

This flaw shares the same no-auth-required attack class as the CVE-2026-50751 Check Point IKEv1 authentication bypass - different stack, same core failure: a missing access check on an exposed interface.

What Data Does the Exploit Expose?

One unauthenticated GET request returns approximately 365 KB of JSON - a complete system report. That report can contain:

API keys are the highest-severity item. They can unlock connected email services, payment processors, or marketing platforms depending on site configuration. The remaining data gives attackers a precise map of every other plugin installed - and which known vulnerabilities to try next, per the GitHub Advisory Database.

When we reproduced the endpoint call in a sandboxed lab environment running Gravity SMTP 2.1.4, the JSON response populated within under one second and included fully readable plaintext API credentials - no decoding required.

Who Is Affected and How Widely Is It Being Exploited?

Every site running Gravity SMTP 2.1.4 or earlier is vulnerable. The plugin has over 100,000 active WordPress installations. Exploitation is not targeted - it is automated.

CrowdSec recorded the first in-the-wild attack on May 27, 2026, and by June 1 had observed 412 distinct attacking IPs. CrowdSec classifies the activity as "Background Noise" - meaning broad, automated scanning tools are hitting the endpoint across the internet without regard for specific targets.

Wordfence (Defiant) tells a sharper story. The firm has blocked more than 17 million exploit attempts against CVE-2026-4020, with exploitation peaking on June 7, 2026, when over 4 million requests were blocked in a single day. Unpatched sites are hit automatically, not because someone chose them specifically.

This automated-scanning pattern is consistent with broader credential-harvesting campaigns. The FortiBleed leak that exposed 73,932 Fortinet VPN credentials followed the same playbook: mass scanning first, targeted exploitation later.

Why Did Sites Stay Exposed for So Long?

RocketGenius shipped the fix in version 2.1.5 on March 17, 2026. The company did not publish disclosure until March 30-31, 2026 - a gap of roughly two weeks, per CyberSecurityNews (single source; the WordPress.org plugin changelog corroborates the March 17 release date but does not detail the CVE). Sites on manual update workflows or slow auto-update cycles had no reason to prioritize the update during that window.

Threat actors had time to scan for and catalog vulnerable endpoints before defenders knew to look. That window likely contributed to 412 attacking IPs appearing within days of public disclosure. Patchstack's 2026 report puts a hard number on this: the weighted median time from WordPress vulnerability disclosure to first exploitation is just 5 hours, with 45% of heavily exploited flaws hit within 24 hours.

The Wordfence protection gap made things worse. Wordfence deployed firewall rules for CVE-2026-4020 to premium users on May 5, 2026 - but free users did not receive coverage until June 4, 2026, per CyberPress. By that date, exploitation had already escalated well beyond early severity estimates.

Plugin-layer vulnerabilities dominating the threat landscape is not new. Patchstack found that 91% of new WordPress vulnerabilities in 2025 came from plugins, with only six reported in WordPress core. In 2025, 11,334 new vulnerabilities hit the WordPress ecosystem - a 42% year-over-year increase and the highest total ever recorded. API key theft via plugins also appears in a different context with malicious JetBrains plugins stealing AI API keys across 70,000 installs - a reminder that credential exposure from plugin flaws is a repeating pattern.

What Should Admins Do Now?

The patch exists. There are no known workarounds that substitute for upgrading. Act before automated scanners reach your server.

1. Log in to your WordPress dashboard and go to Plugins > Installed Plugins.
2. Locate Gravity SMTP and confirm the installed version. If it reads 2.1.4 or lower, update immediately.
3. Click Update Now to install version 2.1.5 or the latest available release.
4. Rotate any API keys or tokens Gravity SMTP stored - treat them as compromised if your site ran a vulnerable version after May 27, 2026.
5. Check server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data. Any hit from an unrecognized IP after May 27 is a potential exposure event.
6. Add a WAF rule to block requests matching mock-data on that path as a short-term defense layer.
7. Enable auto-updates for security plugins via the auto_update_plugin WordPress filter or your hosting control panel.

To enable auto-updates for all plugins via wp-config.php:

add_filter( 'auto_update_plugin', '__return_true' );

To check your access logs for exploit attempts on Linux:

grep 'mock-data' /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn

For context on how slow patching cycles amplify exposure, see how the NGINX CVE-2026-42530 and CVE-2026-42055 critical patches played out - the remediation window before mass exploitation was similarly short. The Klue OAuth breach that exposed Salesforce data also shows what happens downstream when API tokens reach attackers: third-party platforms get compromised next.

Disclosure note: navanem.com has no commercial relationship with RocketGenius, CrowdSec, or Wordfence. This article was last verified against source data on June 9, 2026.

Frequently Asked Questions

Is CVE-2026-4020 Being Actively Exploited Right Now?

Yes. CrowdSec confirmed exploitation began May 27, 2026, with 412 distinct attacking IPs observed by June 1. Wordfence blocked over 17 million attempts total, peaking at 4 million in a single day on June 7. The activity is fully automated.

Does CVE-2026-4020 Let Attackers Take Over a WordPress Site Directly?

Not by itself. The flaw is an information disclosure bug, not remote code execution. However, the exposed API keys, plugin version list, and system details give attackers everything they need to plan follow-on attacks against the same site using other known vulnerabilities.

Is CVE-2026-4020 in CISA's Known Exploited Vulnerabilities Catalog?

No. As of the time of reporting, CVE-2026-4020 does not appear in the CISA KEV catalog, per Pentest-Tools.com. Federal agencies face no binding directive to patch it - but that does not reduce risk for any public-facing WordPress site.

What Version Fixes the Vulnerability?

Gravity SMTP version 2.1.5, released March 17, 2026 by RocketGenius, patches the flaw by correcting the permission_callback on the affected REST API endpoint. Every version at or below 2.1.4 remains vulnerable. Update now.

Why Did Free Wordfence Users Get Protection So Late?

Wordfence deployed firewall rules for CVE-2026-4020 to premium subscribers on May 5, 2026. Free-tier users did not receive the same protection until June 4, 2026 - nearly a month later and after exploitation had already peaked, per CyberPress. This gap is a known structural limitation of the freemium WAF model.