Blog Details

Attackers are actively exploiting a vulnerability within the Gravity SMTP WordPress plugin that exposes API keys, OAuth tokens, and detailed arrangement configuration files to any individual that sends a single unauthenticated HTTP quiz. Wordfence, the WordPress security agency owned by Defiant, says it has blocked more than 17 million exploit makes an try focusing on the flaw since exercise started in early Could perhaps well also 2026. The plugin is installed on approximately 100,000 WordPress sites.

The vulnerability, tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all variations of Gravity SMTP via 2.1.4. A patch used to be released in version 2.1.5 on 17 March 2026, however exploitation didn’t launch unless roughly two months later, suggesting attackers reverse-engineered the repair or chanced on the flaw independently after the patch drew attention to it.

The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/checks/mock-files with a permission_callback characteristic that unconditionally returns factual. That implies no authentication take a look at runs earlier than the server processes the quiz. When an attacker appends the query parameter ?internet page=gravitysmtp-settings, the plugin’s register_connector_data() map populates internal connector files, and the endpoint returns approximately 365 KB of JSON containing the receive of residing’s tubby arrangement file.

The uncovered files comprises API keys, secrets and tactics, and OAuth tokens for every email integration configured within the plugin. Gravity SMTP supports Amazon SES, Google, Mailjet, Resend, and Zoho, and credentials for any of these services and products seem within the response if they were configured. An attacker who obtains these credentials can ship email on behalf of the compromised receive of residing, a ability that is essential for phishing campaigns and industry email compromise.

The arrangement file also comprises the WordPress version, PHP version and loaded extensions, the rep server version, the parable root direction, the database server model and version, all energetic plugins with their version numbers, the energetic theme, and database table names. That files offers attackers a detailed plan of the receive of residing’s tool stack, enormously lowering the reconnaissance effort required to issue notice-on assaults in opposition to known vulnerabilities in instruct plugin or server variations.

“The publicity of dwell third-celebration API credentials ability an attacker would perhaps additionally abuse the receive of residing’s linked email services and products, while the detailed arrangement file enormously lowers the bother required to issue extra assaults in opposition to the receive of residing,” Wordfence researchers wrote of their advisory.

Exploitation volume spiked sharply round 6 June 2026, with Wordfence blocking off more than 4 million requests in a single day on 7 June. The assault visitors has originated basically from a cluster of IP addresses that Wordfence published for directors to add to blocklists. The main indicator of compromise is requests to /wp-json/gravitysmtp/v1/checks/mock-files in internet server access logs, in particular these containing the ?internet page=gravitysmtp-settings query parameter.

CrowdSec, the launch-supply threat intelligence platform, independently corroborated the timeline. It deployed detection for CVE-2026-4020 on 22 Could perhaps well also and seen the necessary right-world exploitation on 27 Could perhaps well also. By 1 June, the exercise had been categorised as background noise, indicating it had been integrated into automated scanning routines that sweep WordPress sites at scale.

The elope at which exploitation used to be industrialised shows a broader pattern in WordPress plugin security. The flaw requires no authentication, targets a broadly installed plugin, and returns high-value files in a single GET quiz, making it trivial to automate. WordPress’s plugin ecosystem has confronted repeated supply chain compromises in 2026, including an assault via which 30 plugins purchased on Flippa were backdoored and lay dormant for eight months earlier than activation.

The Gravity SMTP vulnerability is clear from these supply chain assaults in that it does no longer involve malicious code injected by a compromised developer. It is a easy coding error, a permission callback that must quiet appreciate verified the soliciting for particular person’s credentials however as a change returned factual for every quiz. The simplicity of the flaw makes its survival via construction, assessment, and begin essential.

The publicity of API credentials is largely unsafe on memoir of these credentials in overall persist even after the plugin is up to this level. Updating to version 2.1.5 closes the vulnerable endpoint, however it does no longer revoke or rotate the API keys that will appreciate already been harvested. Credential theft via tool flaws is an accelerating anxiousness all around the industry, with latest learn exhibiting that uncovered API credentials are exploited within minutes of discovery.

Wordfence’s advisory urges receive of residing owners running a vulnerable version of Gravity SMTP who appreciate configured third-celebration email integrations to mediate compromise. The instructed remediation is to update the plugin to version 2.1.5 or later, then straight rotate all API keys, secrets and tactics, and OAuth tokens configured within the plugin’s email connectors. Administrators must quiet also assessment server log files for requests from the published attacker IP addresses.

The CVE used to be published on 31 March 2026, two weeks after the patch shipped. No matter the three-month window between patch availability and height exploitation, many sites dwell vulnerable. The opening between when patches change into readily available and when organisations deploy them is one of basically the most continual complications in tool security, and WordPress plugins are especially inclined to it on memoir of many receive of residing operators construct no longer video display plugin changelogs or enable computerized updates.

Wordfence also issued a separate advisory this week for CVE-2026-8713, a important unauthenticated arbitrary file-deletion vulnerability within the Avada Builder plugin, which is installed on approximately 1,000,000 WordPress sites. That flaw allows attackers to delete files on the server via a direction traversal bug, and deleting wp-config.php can revert a receive of residing to its preliminary setup issue, potentially enabling a tubby takeover.

A patch for the Avada Builder flaw is quick available in version 3.15.4, and no energetic exploitation of CVE-2026-8713 has been seen yet.

Wordfence didn’t attribute the Gravity SMTP exploitation to a particular threat actor or crew. The pattern of mass scanning from a little cluster of IP addresses is per opportunistic credential harvesting reasonably than centered intrusion, though the stolen credentials will be purchased or shared with more subtle operators for notice-on assaults.