Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that can expose sensitive system information, including API keys, OAuth tokens, plugin inventories, and server configuration details without authentication. While the flaw does not directly enable remote code execution, it highlights a persistent security challenge in the WordPress ecosystem: information disclosure vulnerabilities are often underestimated until attackers use the exposed data for reconnaissance, credential theft, and follow-on attacks.
You can get an overview here: CVE-2026-4020: Gravity SMTP WordPress Plugin Exploited
Gidi Cohen, CEO & Co-founder, Bonfy.AI had this comment
“The active exploitation of the Gravity SMTP vulnerability (CVE‑2026‑4020) to steal API keys, secrets, and full system details from WordPress sites shows how even minor plugins now sit on the front line of enterprise data exposure. An unauthenticated REST endpoint returning configuration data, plugin inventories, and third‑party email credentials gives attackers both the ability to impersonate a brand and high‑quality reconnaissance for chaining additional exploits.
Updating to version 2.1.5 and rotating exposed keys is critical, but this incident reflects a broader problem: a growing web of plugins, SaaS connectors, and AI‑enabled services moving sensitive content with limited content‑level governance. Modern data security strategies increasingly need to treat every outbound channel as a high‑risk path requiring consistent, contextual, content‑aware controls and to provide unified visibility into how unstructured data moves across websites, SaaS apps, collaboration tools, and AI systems.”
Vusal Shahbazzade, Lead Edge Deployment Engineer, Polygraf AI follows with this:
“What’s interesting about CVE-2026-4020 is not a severity score (5.3 is medium), but it gives to an attacker. It includes a REST endpoint that that authenticates nobody and returns the site’s full system report (PHP version, server paths, active plugins, database details, configured API keys). It’s not the medium level problem in practice, because that data opens many other doors – everything shown in clean JSON, no skill required to read it. On top of it 17 million blocked attempts are people building a map.
This bug lives in a shared configuration library bundled into the plugin, an endpoint that registered itself as public without anyone explicitly deciding it should be. It’s a convenience feature in a dependency exposed one by default, and it inherited the trust of the plugin it shipped inside. Teams would beed to audit every endpoint a dependency registers, rather than assuming they’re safe, otherwise low-CVSS bugs will keep doing high-CVSS damage.”
If I were you, either update this plugin to version 2.1.5 or discontinue its use. Either way, you’ll be doing yourself a favour.
Related
This entry was posted on June 23, 2026 at 9:19 am and is filed under Commentary with tags WordPress. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Active exploitation of Gravity SMTP flaw exposes hidden WordPress risk
Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that can expose sensitive system information, including API keys, OAuth tokens, plugin inventories, and server configuration details without authentication. While the flaw does not directly enable remote code execution, it highlights a persistent security challenge in the WordPress ecosystem: information disclosure vulnerabilities are often underestimated until attackers use the exposed data for reconnaissance, credential theft, and follow-on attacks.
You can get an overview here: CVE-2026-4020: Gravity SMTP WordPress Plugin Exploited
Gidi Cohen, CEO & Co-founder, Bonfy.AI had this comment
“The active exploitation of the Gravity SMTP vulnerability (CVE‑2026‑4020) to steal API keys, secrets, and full system details from WordPress sites shows how even minor plugins now sit on the front line of enterprise data exposure. An unauthenticated REST endpoint returning configuration data, plugin inventories, and third‑party email credentials gives attackers both the ability to impersonate a brand and high‑quality reconnaissance for chaining additional exploits.
Updating to version 2.1.5 and rotating exposed keys is critical, but this incident reflects a broader problem: a growing web of plugins, SaaS connectors, and AI‑enabled services moving sensitive content with limited content‑level governance. Modern data security strategies increasingly need to treat every outbound channel as a high‑risk path requiring consistent, contextual, content‑aware controls and to provide unified visibility into how unstructured data moves across websites, SaaS apps, collaboration tools, and AI systems.”
Vusal Shahbazzade, Lead Edge Deployment Engineer, Polygraf AI follows with this:
“What’s interesting about CVE-2026-4020 is not a severity score (5.3 is medium), but it gives to an attacker. It includes a REST endpoint that that authenticates nobody and returns the site’s full system report (PHP version, server paths, active plugins, database details, configured API keys). It’s not the medium level problem in practice, because that data opens many other doors – everything shown in clean JSON, no skill required to read it. On top of it 17 million blocked attempts are people building a map.
This bug lives in a shared configuration library bundled into the plugin, an endpoint that registered itself as public without anyone explicitly deciding it should be. It’s a convenience feature in a dependency exposed one by default, and it inherited the trust of the plugin it shipped inside. Teams would beed to audit every endpoint a dependency registers, rather than assuming they’re safe, otherwise low-CVSS bugs will keep doing high-CVSS damage.”
If I were you, either update this plugin to version 2.1.5 or discontinue its use. Either way, you’ll be doing yourself a favour.
Share this:
Like this:
Related
This entry was posted on June 23, 2026 at 9:19 am and is filed under Commentary with tags WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.