A security flaw in the Gravity SMTP plugin is being actively exploited at scale, with attackers targeting the roughly 100,000 WordPress sites that run the plugin for email delivery, according to its WordPress.org active-install count. The vulnerability allows anyone — without logging in — to request a full system report from a site, including third-party API credentials used to send email through services like Amazon SES, Google, Mailjet, Resend, and Zoho.
Tracked as CVE-2026-4020 and rated Medium severity (CVSS 5.3), the flaw exists in all versions of Gravity SMTP up to and including 2.1.4. The plugin registers a REST API endpoint — the interface WordPress uses for programmatic data requests — at /wp-json/gravitysmtp/v1/tests/mock-data with a permission check that unconditionally returns true, meaning no authentication is ever required to access it. When the query parameter ?page=gravitysmtp-settings is appended to the request, the endpoint returns approximately 365 KB of JSON data containing the plugin’s complete System Report.

That report includes PHP version and loaded extensions, web server details, database type and version, WordPress version, every active plugin and its version, the active theme, database table names, and, most damaging of all, any API keys, OAuth tokens, and secrets configured for the plugin’s email integrations. An attacker harvesting those credentials could abuse a site’s connected email account to send spam or phishing messages. The wider system data provides a map for planning further attacks. The exploit itself requires only a single unauthenticated GET request, making automated scanning straightforward.
The five IP addresses responsible for the highest volume of blocked attempts, according to Wordfence:
- 45.148.10.95
- over 642,000 blocked requests
- 193.32.162.60
- over 586,000 blocked requests
- 176.65.148.139
- over 539,000 blocked requests
- 173.199.90.188
- over 460,000 blocked requests
- 45.148.10.120
- over 410,000 blocked requests
Wordfence reports its firewall has blocked over 17 million exploit attempts targeting this vulnerability, with the attack volume surging sharply in early June 2026. The single busiest day was June 7th, when more than 4 million attempts were blocked. Sustained high-volume attacks continued through June 11th, with several million attempts blocked each day during that period.
The patched version, 2.1.5, was released by the vendor on March 17th, 2026, before Wordfence publicly detailed the active exploitation in June. Wordfence Premium, Care, and Response customers received a firewall rule on May 5th, 2026; free Wordfence users received the same protection on June 4th. The delayed rule deployment occurred because the vulnerability’s initial severity rating fell below the threshold that automatically triggers a firewall rule — a threshold Wordfence revised once active exploitation was confirmed.
Site owners using Gravity SMTP should update to version 2.1.5 immediately. Even with a firewall in place, applying the patch closes the underlying vulnerability rather than relying solely on perimeter defenses.