Gravity SMTP: 17M Attacks Exploit Info-Disclosure Bug

Threat actors are actively exploiting CVE-2026-4020, an information-disclosure vulnerability in the WordPress Gravity SMTP plugin, to extract email service credentials and infrastructure blueprints without leaving file-based traces. The patch is available in version 2.1.5, released March 17, 2026, but the exploit wave exploded between June 7 and 11, peaking at 4 million blocked requests in a single day. The danger is twofold: the ease of anonymous data access and the impossibility of detecting the intrusion without proactive log analysis.

"A WordPress mail plugin should not publish your infrastructure blueprint" — CrowdSec

The Mechanism: How One Line of Code Opens the Infrastructure

SentinelOne analyzed the architectural root of the flaw. The Gravity SMTP plugin, which exceeds 100,000 active installations, registers a REST API endpoint with a permission_callback designed to verify user permissions. Instead of querying WordPress capabilities, the function returns true in every case. Appending the parameter ?page=gravitysmtp-settings to the full endpoint triggers the response: a JSON object of roughly 365 KB that SentinelOne classifies as CWE-200 (Information Exposure).

The report contents include API keys and secrets for Amazon SES, Google Workspace, Mailjet, Resend, and Zoho; OAuth tokens; PHP version and loaded extensions; web server, database, and WordPress versions; and a list of active plugins and themes. It is a complete host profile, sufficient to plan follow-on attacks with minimal reconnaissance effort.

The Scale of the Attack: Numbers from an Automated Campaign

Converging independent telemetry paints a structured campaign, not an episodic one. Wordfence detected over 17 million blocked attempts, with a temporal distribution showing a sharp acceleration in early June. On June 7, 2026, the count hit 4 million requests in 24 hours. GBHackers published granular IOCs: IP address 45.148.10.95 alone generated over 642,000 blocked requests, followed by 193.32.162.60 with over 586,000. Wordfence deployed premium firewall rules on May 5, 2026, and free rules on June 4, leaving a differentiated exposure window for non-paying installations.

CrowdSec, with data collected between May 27 and June 1, cataloged 412 distinct IPs and classified the activity as "Background Noise," a technical term indicating routine automation indicator rather than targeted operations. Attack geography points to France, the Netherlands, and the United States. Victim segmentation shows 55% in e-commerce environments and 39% in small businesses and home offices (SOHO), categories with fewer resources for proactive monitoring.

Why Medium Does Not Mean Manageable

The CVSS 5.3 score reflects the read-only nature of the vulnerability: no remote code execution, no file modification, no direct privilege escalation. But this same characteristic nullifies traditional detection mechanisms. A successful attack leaves no malicious files, alters no timestamps, and spawns no anomalous disk processes. The only trace resides in web server logs and API calls, often retained for short periods or never analyzed on WordPress systems managed by non-specialist users.

Wordfence highlighted the operational consequence: "The exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site." The stolen credentials are immediately usable: sending phishing with the compromised reputation of the legitimate host, abusing paid cloud service quotas, or pivoting to other systems where the same credentials are reused.

What to Do Now

• Immediately update Gravity SMTP to version 2.1.5 or later; the patch released March 17, 2026 fixes the REST endpoint's permission_callback.
• Check web server logs for GET requests to the endpoint /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings; the presence of calls with a 200 response from unauthorized IPs indicates exposure occurred.
• Rotate all API credentials and OAuth tokens for email providers configured in the plugin (Amazon SES, Google, Mailjet, Resend, Zoho); the source does not document confirmed abuse, but the exposure is verified.
• Disable the test endpoint if not needed, or apply web-server-level access controls to intercept unauthenticated requests before they reach WordPress.

The Systemic Lag of the WordPress Ecosystem

The three-month gap between the patch release and the exploit explosion illustrates a recurring dynamic in the WordPress plugin ecosystem. Version 2.1.5 was available on March 17, 2026; public disclosure occurred March 30. Massive activity began in May–June. The dossier reveals no direct vendor communication (RocketGenius/Gravity Forms) to users beyond the changelog, nor forced-update mechanisms. The combination of free-tier installations with delayed firewall rules and commercial environments with lower application-security attention created the ground for a low-cost, high-yield campaign.

The Gravity SMTP case is not a CVSS severity exception, but a confirmation: in real-world risk assessment, the formal metric matters less than the combination of exploit ease, detection impossibility, and exposed data value. A Medium score can hide a critical breach when no one is watching the logs.

Information verified against cited sources and current as of publication.

Sources

• https://www.bleepingcomputer.com/news/security/hackers-exploit-info-disclosure-bug-in-gravity-smtp-wordpress-plugin/
• https://www.sentinelone.com/vulnerability-database/cve-2026-4020/
• https://cybersecuritynews.com/hackers-exploiting-wordpress-smtp-plugin/
• https://www.crowdsec.net/vulntracking-report/cve-2026-4020-gravity-smtp-information-disclosure
• https://gbhackers.com/hackers-exploit-wordpress-smtp-plugin/
• https://www.bleepingcomputer.com/
• https://www.bleepingcomputer.com/download/
• https://deals.bleepingcomputer.com/
• https://www.bleepingcomputer.com/vpn/