If You Use Gravity SMTP On WordPress Rotate Your Email API Keys Now

An Unauthenticated Leak Of Your Email Keys, Under Active Attack

CVE-2026-4020 in the Gravity SMTP plugin for WordPress is an unauthenticated information-disclosure flaw rated CVSS 7.5 (High). It lets anyone, with no login at all, pull your email provider API keys straight out of the site, and bots are mass-exploiting it right now. If you run WordPress with this plugin, treat it as a credential-theft incident and act today.

What Leaks, And How

The plugin registers a REST endpoint at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback simply returns true, so anyone can call it without logging in. Add the query parameter ?page=gravitysmtp-settings and it returns roughly 365 KB of JSON, the plugin's full System Report. That report includes the PHP version, the list of active plugins, database configuration, and, the dangerous part, the stored API credentials for whichever email service the site uses: Amazon SES, Google, Mailjet, Zoho, Resend, and others.

In plain terms, an attacker with no account on your site can read the keys that let them send mail as your domain.

Why It Deserves Immediate Attention

A leaked email provider key is not abstract. With it an attacker can send phishing and spam from your sending reputation, run up real costs on metered services like SES, and in some cases read or manage your mail configuration. The leaked system report also hands them a map of your stack for follow-on attacks.

And this is not theoretical. Wordfence reports blocking more than 17 million exploit attempts against CVE-2026-4020, with activity spiking around June 6, 2026. If your site ran a vulnerable version and was reachable, assume the keys are already gone.

What To Do, In Order

1. Update Gravity SMTP to 2.1.5 or later now. The patch shipped on March 17, 2026. Anything up to and including 2.1.4 is vulnerable.
2. Rotate every email credential the plugin held. This is the step people skip. Updating stops new leaks, but it does not invalidate keys that were already stolen. Regenerate the API keys and secrets for SES, Mailjet, Zoho, Resend, Google, and anything else configured, then update them in the plugin.
3. Check for abuse. Review your email provider send logs and billing for unfamiliar activity, check your SES sending statistics, and look for OAuth grants or app passwords you did not create.
4. Block it at the edge if you cannot patch instantly. Deny requests to /wp-json/gravitysmtp/ at your WAF or CDN as a stopgap until the update is in.

The Lesson

An information disclosure that hands live, third-party credentials to bots already mass-exploiting it is a credential-theft incident, full stop. Triage by what actually leaks, not just by the category label. And store provider secrets where a plugin's debug or system report cannot serialize them back out, then rotate at the first hint of disclosure.

If you want a second pair of hands on the patch-and-rotate, or a review of where your secrets live, that is exactly what our security and compliance and WordPress work covers. For the same calm-triage approach on another WordPress flaw, see our note on the Spectra Gutenberg RCE.

Sources

Details are from the CVE-2026-4020 advisory and reporting by BleepingComputer, The Hacker News, The Next Web, and GBHackers: an unauthenticated information-disclosure flaw in Gravity SMTP affecting all versions up to and including 2.1.4 (around 100,000 installations), patched in 2.1.5 on March 17, 2026, with Wordfence blocking over 17 million exploitation attempts as activity spiked in early June 2026. The CVSS v3.1 base score is 7.5 (High), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, assigned by Wordfence (the CNA) and reflected in NVD. Some secondary coverage cited 5.3; the CNA and NVD record is 7.5.