Skip to content
hacker_posts

Gravity SMTP CVE-2026-4020: API keys leaked, 17M exploit attempts

Wordfence blocked 17M attempts at the unauth REST endpoint that dumps Gravity SMTP's full System Report — live API keys and OAuth tokens included. Patch is 2.1.5.

Published 4 min read
cvewordpresswordfenceadvisory

Wordfence reports blocking more than 17 million exploit attempts against CVE-2026-4020 in the Gravity SMTP WordPress plugin since early May 2026, with a single-day spike of more than 4 million requests on June 7. The bug — an unauthenticated REST endpoint that returns the plugin's full System Report — leaks live API keys and OAuth tokens for Amazon SES, Google, Mailjet, Resend and Zoho on any of the roughly 100,000 sites running 2.1.4 or earlier. The fixed release is Gravity SMTP 2.1.5.

The primary record is the GitHub Security Advisory GHSA-jxfc-8wcq-xxcg, published by Wordfence on March 31, 2026. The exploitation telemetry driving this week's news cycle is Wordfence's own threat feed, picked up by Bleeping Computer on June 19.

What's affected

All Gravity SMTP versions up to and including 2.1.4. The plugin is published by RocketGenius, the team behind Gravity Forms, and is installed on roughly 100,000 WordPress sites. The patched release is 2.1.5. The companion product Gravity Forms (the form builder) is unaffected — this is purely the SMTP plugin.

The bug

The plugin registers a REST API endpoint at:

/wp-json/gravitysmtp/v1/tests/mock-data

with a permission_callback that unconditionally returns true. Appending the query string ?page=gravitysmtp-settings causes the endpoint's register_connector_data() method to populate connector data into the response. The result is approximately 365 KB of JSON served to any unauthenticated visitor, containing:

  • PHP version, loaded extensions, web server version
  • WordPress version, document root, configuration details
  • Active plugins (with versions) and active theme
  • Database server type, version, and table names
  • All API keys, secrets and OAuth tokens configured in the plugin's email connectors (Amazon SES, Google, Mailjet, Resend, Zoho)

CVSS for the underlying flaw is 7.5 per the GitHub Advisory record. The EPSS score is 2.98% (86th percentile probability of exploitation within 30 days) — already moot, since exploitation is in progress.

Exploitation status

Wordfence is the named source: more than 17 million exploit attempts blocked since early May 2026, with the curve spiking around June 6 and 4+ million requests blocked on June 7 alone. The attack signature is a single unauthenticated GET to the endpoint above with ?page=gravitysmtp-settings appended — trivially scriptable, no authentication, no per-site reconnaissance required. A 200 response carrying a JSON body of roughly 365 KB is the indicator of a successful pull.

CISA has not added CVE-2026-4020 to the KEV catalog as of June 21. RocketGenius has not published an incident-response advisory beyond the 2.1.5 changelog entry.

Action checklist

  1. Upgrade Gravity SMTP to 2.1.5 today on every WordPress site that runs the plugin. Auto-updates are under Plugins → Installed Plugins → Automatic updates — turn it on if it isn't.
  2. Rotate every credential the plugin ever held. API keys for Amazon SES, Google (Gmail / Workspace SMTP), Mailjet, Resend, Zoho, and any other connector configured in Gravity SMTP must be treated as compromised. Patching alone does not invalidate exposed secrets.
  3. Search access logs for GET /wp-json/gravitysmtp/v1/tests/mock-data since early May 2026. Any 200 with a body around 365 KB is a confirmed exfiltration; any 200 at all on a vulnerable version is suspicious.
  4. Block the endpoint at the WAF as defense-in-depth even after patching. Wordfence rules already block it; for other WAFs, write the rule yourself.
  5. Re-issue site secrets if the System Report dump returned wp-config.php paths. Treat any DB_PASSWORD, AUTH_KEY, SECURE_AUTH_KEY etc. that may have been adjacent to the exposed data as part of the same incident.

Context

This is the second mass-exploited WordPress plugin information-disclosure or RCE we've covered this fortnight, after Everest Forms Pro CVE-2026-3300. The shared pattern: a permission_callback returning true (or a weak nonce check), an endpoint that returns more than its name suggests, and a plugin with six-figure installs. WordPress REST endpoints are the new admin-ajax.php — anything reading runtime configuration should never be unauthenticated, and capability checks belong on every callback that touches plugin settings.

The credential-rotation step is the one operators routinely skip. If your outbound mail provider has been silently invoiced for spam runs in the last six weeks, the Gravity SMTP API key is the most likely vector.

Related stories