An Unauthenticated Leak Of Your Email Keys, Under Active Attack
CVE-2026-4020 in the Gravity SMTP plugin for WordPress is an unauthenticated information-disclosure flaw rated CVSS 7.5 (High). It lets anyone, with no login at all, pull your email provider API keys straight out of the site, and bots are mass-exploiting it right now. If you run WordPress with this plugin, treat it as a credential-theft incident and act today.
What Leaks, And How
The plugin registers a REST endpoint at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback simply returns true, so anyone can call it without logging in. Add the query parameter ?page=gravitysmtp-settings and it returns roughly 365 KB of JSON, the plugin's full System Report. That report includes the PHP version, the list of active plugins, database configuration, and, the dangerous part, the stored API credentials for whichever email service the site uses: Amazon SES, Google, Mailjet, Zoho, Resend, and others.
In plain terms, an attacker with no account on your site can read the keys that let them send mail as your domain.
Why It Deserves Immediate Attention
A leaked email provider key is not abstract. With it an attacker can send phishing and spam from your sending reputation, run up real costs on metered services like SES, and in some cases read or manage your mail configuration. The leaked system report also hands them a map of your stack for follow-on attacks.
And this is not theoretical. Wordfence reports blocking more than 17 million exploit attempts against CVE-2026-4020, with activity spiking around June 6, 2026. If your site ran a vulnerable version and was reachable, assume the keys are already gone.
What To Do, In Order
- Update Gravity SMTP to 2.1.5 or later now. The patch shipped on March 17, 2026. Anything up to and including 2.1.4 is vulnerable.
- Rotate every email credential the plugin held. This is the step people skip. Updating stops new leaks, but it does not invalidate keys that were already stolen. Regenerate the API keys and secrets for SES, Mailjet, Zoho, Resend, Google, and anything else configured, then update them in the plugin.
- Check for abuse. Review your email provider send logs and billing for unfamiliar activity, check your SES sending statistics, and look for OAuth grants or app passwords you did not create.
- Block it at the edge if you cannot patch instantly. Deny requests to
/wp-json/gravitysmtp/at your WAF or CDN as a stopgap until the update is in.
The Lesson
An information disclosure that hands live, third-party credentials to bots already mass-exploiting it is a credential-theft incident, full stop. Triage by what actually leaks, not just by the category label. And store provider secrets where a plugin's debug or system report cannot serialize them back out, then rotate at the first hint of disclosure.
If you want a second pair of hands on the patch-and-rotate, or a review of where your secrets live, that is exactly what our security and compliance and WordPress work covers. For the same calm-triage approach on another WordPress flaw, see our note on the Spectra Gutenberg RCE.
Sources
Details are from the CVE-2026-4020 advisory and reporting by BleepingComputer, The Hacker News, The Next Web, and GBHackers: an unauthenticated information-disclosure flaw in Gravity SMTP affecting all versions up to and including 2.1.4 (around 100,000 installations), patched in 2.1.5 on March 17, 2026, with Wordfence blocking over 17 million exploitation attempts as activity spiked in early June 2026. The CVSS v3.1 base score is 7.5 (High), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, assigned by Wordfence (the CNA) and reflected in NVD. Some secondary coverage cited 5.3; the CNA and NVD record is 7.5.
Talk to the engineer who will own your stack.
No account managers, no offshore handoff. Senior DevOps, direct. Tell us what you are dealing with and you get a straight answer.
Related News
A 15-Year-Old Linux Kernel Bug Called GhostLock Gives Any Local User Root and Escapes Containers
GhostLock (CVE-2026-43499) is a 15-year-old use-after-free in the Linux kernel rtmutex code that lets any logged-in user become root, and in the researchers' testing escape containers. It was quietly patched upstream in May, but Nebula Security has now published a working exploit, which changes the risk for anyone running shared or multi-tenant Linux. Here is who is actually exposed and what to do.
SecurityThe New libssh2 SSH Flaw Is Client-Side, Not Your sshd, and apt upgrade Will Not Fix the Copies That Matter
CVE-2026-55200 is an out-of-bounds write in the libssh2 client library that a malicious or compromised SSH server can use to corrupt a connecting client's memory, and a public proof-of-concept is already out. The corrections that matter: it is client-side and not an OpenSSH or sshd bug, the severity rating is disputed across scorers, and the real cleanup is finding the statically linked and vendored copies a distribution update never touches.
SecurityOpenSSL 3.0 Stops Getting Security Fixes in September and You Probably Still Ship It
OpenSSL 3.0 stops receiving all fixes, including security fixes, after September 7, 2026, and the 3.4 line follows on October 22. For most teams the distro backports cover it, but self-compiled, vendored, and container-bundled OpenSSL go quietly unpatched. Here is who is actually exposed and how to check.