Ethical Hacking News
A critical security flaw in the Gravity SMTP WordPress plugin has exposed API keys and sensitive data, posing a significant threat to web security. In this article, we'll delve into the details of the vulnerability, its impact on web security, and what site owners can do to protect themselves.
The Gravity SMTP plugin has a vulnerability (CVE-2026-4020) that allows unauthenticated visitors to access sensitive data. The vulnerability can extract sensitive information such as PHP version, plugins, themes, and database details. Attackers have already exploited this vulnerability to harvest credentials and send email on behalf of sites. Patch versions (2.1.4 and 2.1.5) are available to fix the issue, but attackers continue to exploit it. Site owners must update to the latest version and rotate their credentials to mitigate the risk.
The world of web security has been dealt a severe blow, courtesy of a recent vulnerability discovered in the popular Gravity SMTP WordPress plugin. The exploit, tracked as CVE-2026-4020 (CVSS score: 5.3), poses a significant threat to users who have installed the plugin on their sites. In this article, we will delve into the details of the vulnerability, its impact on web security, and what site owners can do to protect themselves.
The Gravity SMTP plugin, designed to facilitate email integrations for WordPress websites, has been found to contain a REST API endpoint that unconditionally returns true. This permission_callback feature allows any unauthenticated visitor to access the endpoint, which in turn populates internal connector data. When the "?page=gravitysmtp-settings" query parameter is appended, the plugin's register_connector_data() method returns approximately 365 KB of JSON containing the full System Report.
This information disclosure flaw can be exploited by attackers to extract sensitive data from affected sites, including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, active plugins with versions, active theme, WordPress configuration details, database table names, API keys/tokens configured in the plugin, such as Amazon SES, Google, Mailjet, Resend, and Zoho. With this sensitive information at their disposal, attackers can weaponize it to harvest credentials that could be used to send email on behalf of the site or gain a foothold for follow-on attacks.
The vulnerability has been present in the Gravity SMTP plugin since version 2.1.4, but a patch was released in version 2.1.5. Despite this, attackers have already begun exploiting the defect by sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the "?page=gravitysmtp-settings" query parameter, causing the server to return valuable information about the site without requiring any authentication.
According to Wordfence, over 17 million exploit attempts targeting CVE-2026-4020 have been blocked to date. The initial activity began at the start of May 2026 but spiked up dramatically around June 6, 2026, with a peak of over 4,000,000 requests per day. However, it is essential for site owners running vulnerable versions of the Gravity SMTP plugin and configured third-party email integrations to assume compromise.
To mitigate this risk, site owners are advised to rotate their credentials as soon as possible after updating the plugin to the latest version (2.1.5). Additionally, reviewing server log files for requests originating from the aforementioned IP addresses can help identify any suspicious activity related to the API endpoint.
In conclusion, the Gravity SMTP vulnerability serves as a stark reminder of the importance of web security and the need for prompt action when vulnerabilities are discovered. By staying informed and taking proactive measures to protect their sites, users can safeguard against potential exploits and minimize the risk of data breaches.
Related Information:
https://www.ethicalhackingnews.com/articles/Unveiling-the-Gravity-SMTP-Vulnerability-A-Threat-to-Web-Security-ehn.shtml
https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html
https://nvd.nist.gov/vuln/detail/CVE-2026-4020
https://www.cvedetails.com/cve/CVE-2026-4020/
Published: Sat Jun 20 06:20:57 2026 by llama3.2 3B Q4_K_M
