Summary:
The WordPress plugin Gravity SMTP is currently under active, large-scale attack due to a “Sensitive Information Exposure” vulnerability (CVE-2026-4020). The flaw exists in a REST API endpoint that incorrectly allows unauthenticated access, enabling attackers to retrieve a full system report.
This report includes sensitive configuration data, server details, and, most critically, third-party API keys and secrets used for email integrations (e.g., Amazon SES, Google, Mailjet). Wordfence reports blocking over 17 million exploit attempts, with heavy activity recorded in early June 2026.
Users are urged to update to version 2.1.5 or higher immediately to patch the issue. Additionally, because exposed API keys may have been compromised, it is highly recommended that users rotate all credentials associated with the plugin’s email services. If you suspect a breach, monitor server logs for suspicious requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint.
Read the full article by István Márton on the Wordfence blog.