Threat actors are actively exploiting a critical information disclosure vulnerability in the Gravity SMTP WordPress plugin, exposing sensitive system credentials across more than 100,000 websites. Tracked as CVE-2026-4020, the flaw allows unauthenticated attackers to access API keys, OAuth tokens, and system configurations. According to security firm Wordfence, over 17 million exploitation attempts have been blocked to date, highlighting the rapid pace at which automated scanners weaponize plugin vulnerabilities.
How does an information disclosure flaw lead to total site compromise?
While CVE-2026-4020 does not grant attackers direct remote code execution, it functions as a “reconnaissance goldmine.” By exploiting an improperly protected REST API endpoint, attackers gain access to the environmental intelligence needed for follow-on attacks. According to Wordfence, this includes WordPress configuration details and third-party email service credentials. Once an attacker possesses these secrets, they can move laterally, potentially compromising outbound email infrastructure or impersonating legitimate services to conduct phishing campaigns or bypass security filters.
Why are WordPress plugins increasingly targeted by automated scanners?
The scale of the Gravity SMTP campaign, with 17 million blocked attempts, demonstrates the efficiency of modern botnets. Unlike targeted “human” attacks, these automated tools scan the entire internet for specific version strings. When a vulnerability like CVE-2026-4020 is disclosed, the time gap between patch release and widespread exploitation has shrunk to mere hours. This phenomenon forces site administrators to treat every plugin as a potential entry point for their entire digital infrastructure.
What are the immediate steps for remediation?
Security teams must treat this vulnerability as a high-priority incident. According to the plugin developer, RocketGenius, the fix is available in version 2.1.5. Organizations should follow these three steps:
- Apply the update: Upgrade to Gravity SMTP version 2.1.5 or later immediately to close the vulnerable REST API endpoint.
- Credential Rotation: If a site remained on a vulnerable version, assume all stored API keys, OAuth tokens, and SMTP credentials have been harvested. Rotate these secrets immediately.
- Log Auditing: Examine web server and WordPress application logs for unusual patterns of REST API requests, which indicate that an attacker has already performed reconnaissance on your system.
Frequently Asked Questions
Is my site vulnerable if I don’t use Gravity SMTP?
No, this specific vulnerability is exclusive to the Gravity SMTP plugin. However, similar REST API vulnerabilities have been found in other WordPress plugins recently, making it essential to keep all software updated.
Does patching fix the security of my leaked API keys?
No. Patching stops the bleeding, but it does not invalidate credentials that were already stolen. You must manually rotate your email service API keys and OAuth tokens after updating the plugin.
How can I see if my site was already compromised?
Review your WordPress security logs for suspicious GET requests to the plugin’s REST API endpoints. If you find requests from unknown IP addresses, treat the credentials stored in that plugin as compromised.
Are you managing a large portfolio of WordPress sites? Subscribe to our Security Briefing newsletter for real-time alerts on plugin vulnerabilities and industry-standard hardening techniques.
