Hackers are widely using a Gravity SMTP vulnerability to extract API keys from 100,000 WordPress websites.

      **Summary:** Wordfence has prevented over 17 million attempts to exploit a defect in the Gravity SMTP plugin, which reveals API keys and system information from WordPress sites without needing authentication. Attackers are actively taking advantage of this vulnerability, which allows anyone to access sensitive data by sending a single unauthenticated HTTP request. Since early May 2026, exploitation of the flaw has increased considerably, with the plugin utilized on around 100,000 WordPress sites.

      The identified vulnerability, marked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all versions of Gravity SMTP up to 2.1.4. A fix was released in version 2.1.5 on March 17, 2026, but exploitation began about two months later, indicating that attackers may have reverse-engineered the update or found the vulnerability independently after its disclosure.

      The issue arises from a REST API endpoint located at /wp-json/gravitysmtp/v1/tests/mock-data, which includes a permission_callback function that always returns true, thus bypassing any authentication checks before processing requests. If an attacker adds the query parameter ?page=gravitysmtp-settings, the method register_connector_data() fills in internal connector information, and the endpoint delivers roughly 365 KB of JSON containing the complete system report for the site.

      This exposed data reveals API keys, secrets, and OAuth tokens for every email integration in the plugin. Gravity SMTP allows integration with various services, including Amazon SES, Google, Mailjet, Resend, and Zoho, with credential details appearing in the response if any have been set up. An attacker gaining access to these credentials could send emails on behalf of the compromised site, facilitating phishing attempts and business email compromise.

      The system report encompasses the WordPress version, PHP version and extensions, web server version, document root path, database server type and version, active plugins with version numbers, the active theme, and database table names. This comprehensive information equips attackers with a clear understanding of the site’s software stack, greatly simplifying the process of planning targeted attacks against known vulnerabilities associated with specific plugin or server versions.

      According to Wordfence researchers, "The exposure of active third-party API credentials means an attacker could misuse the site’s linked email services, while the detailed system report significantly reduces the effort needed to organize further attacks against the site."

      Exploitation surged around June 6, 2026, with Wordfence blocking over 4 million requests in a single day on June 7. The source of the attack primarily comprised a group of IP addresses that Wordfence has made available for website administrators to add to their blocklists. A primary sign of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in web server access logs, especially those containing the ?page=gravitysmtp-settings query parameter.

      CrowdSec, an open-source threat intelligence platform, confirmed this timeline independently. Detection for CVE-2026-4020 was implemented on May 22, with the first real-world exploitation observed on May 27. By June 1, the activity was deemed background noise, indicating it had become part of automated scanning processes targeting WordPress sites at scale.

      The rapid escalation of exploitation illustrates a broader trend in security vulnerabilities within WordPress plugins. The flaw requires no authentication, affects a commonly used plugin, and yields valuable data in a single GET request, making it easy to automate. The WordPress plugin ecosystem has encountered multiple supply chain breaches in 2026, including incidents where 30 plugins sold on Flippa were backdoored and lay dormant for eight months before being activated.

      This specific Gravity SMTP vulnerability differs from those supply chain attacks, as it does not involve malicious code inserted by a compromised developer. Instead, it is a simple coding mistake - the permission callback should have checked the requesting user's credentials but erroneously returned true for every request. The straightforward nature of the error allows for its persistence through development, review, and release.

      The risk of API credentials being exposed is particularly severe since these credentials often remain intact even after a plugin is updated. While updating to version 2.1.5 closes the vulnerable endpoint, it does not revoke or change any API keys that may have already been compromised. Credential theft through software vulnerabilities is an increasingly pressing concern in the industry, with recent studies indicating that exposed API credentials are typically exploited within minutes of their discovery.

      Wordfence’s advisory recommends that site owners with a vulnerable version of Gravity SMTP, particularly those who have set up third-party email integrations, assume their systems have been compromised. The suggested course of action is to immediately update the plugin to version 2.1.5 or newer and subsequently rotate all API keys, secrets, and OAuth tokens currently utilized in the plugin’s email connectors. Additionally, administrators should examine server log files for requests from the identified attacker IP addresses.

      The CVE was published on March 31, 202