Exploiting Gravity SMTP Plugin Vulnerability in WordPress

|

|

, , , , ,

What Actually Happened

A vulnerability in the Gravity SMTP plugin for WordPress has been exploited by hackers to expose sensitive information such as API keys and configuration data. This flaw, tracked as CVE-2026-4020, is classified as a medium-severity information disclosure vulnerability with a CVSS score of 5.3. The issue lies in a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data that improperly allows unauthenticated access, enabling attackers to retrieve a comprehensive system report including PHP versions, active plugins, and API keys for email services.

The Implementation Reality

For teams operating WordPress sites with the Gravity SMTP plugin, this vulnerability presents a significant risk. The exposed API keys can allow attackers to send emails on behalf of the site, leading to potential phishing or spam issues. Additionally, the detailed system report exposes critical server configurations, which can be leveraged for further attacks. Given that the plugin is installed on approximately 100,000 sites, the blast radius of this vulnerability is considerable.

To mitigate this risk, site administrators must ensure that they are running the patched version 2.1.5 of the Gravity SMTP plugin. Those who have not updated should be on high alert, as attackers have already initiated exploit attempts, with over 17 million blocked by Wordfence. Reviewing server logs for suspicious requests, especially from specific IP addresses identified in the attack, is crucial for detecting any breaches that may have occurred prior to patching.

What to Do About It

  • Upgrade the Gravity SMTP plugin to version 2.1.5 or later to close the vulnerability.
  • Rotate all API keys and secrets associated with the plugin, particularly for third-party email integrations.
  • Conduct a review of server logs for any unauthorized access attempts, especially from the IP addresses reported in the exploit.
  • Implement access controls and rate limiting on REST API endpoints to prevent similar exploitation in the future.
  • Monitor for unusual email activity that may indicate that compromised API keys are being used.

Source: The Hacker News

At q52, we specialize in AI-augmented security operations and SIEM implementation. Let us help you operationalize threat detection with LLM enrichment — faster triage, fewer false positives, and security intelligence your team can actually act on. Learn about Noogenesis, our AI-powered SIEM platform and connect with us on LinkedIn.

Discover more from q52.ai

Subscribe to get the latest posts sent to your email.

Tell us about your use case!

Contact Us

About us

q52 is an AI strategy firm built for organizations that need reliability, not theatrics. We focus on the hard parts of AI—training data, intelligence management, systems integration, governance, and security—because those foundations determine whether anything works in production. Our approach starts with understanding how your people think, decide, and operate, then designing AI systems that fit those realities. We cut through noise, identify what’s actually required, and build frameworks your teams can trust and sustain.

Navigate

Wonder – A WordPress Block theme by YITH

Discover more from q52.ai

Subscribe now to keep reading and get access to the full archive.

Continue reading