A security vulnerability in the Gravity SMTP plugin for WordPress, installed on approximately 100,000 sites, has been identified as CVE-2026-4020, receiving a medium severity rating of 5.3 on the CVSS scale. Threat actors are exploiting this flaw, which allows unauthorized access to sensitive information, including API keys and configuration data, through a REST API endpoint.
The vulnerability arises from a permission callback that allows any visitor to access the endpoint without authentication. By appending the "?page=gravitysmtp-settings" parameter, attackers can trigger the plugin to reveal around 365 KB of JSON data, providing a comprehensive system report that includes critical details such as PHP version, active plugins, and database information.
Wordfence reported blocking more than 17 million exploit attempts related to this vulnerability, which began drawing attention in early May 2026. A patch has been issued in version 2.1.5 of the plugin to address the issue. However, the potential for misuse remains, as attackers could use exposed credentials to send unauthorized emails and gather further intelligence for subsequent attacks.