Threat actors are exploiting a medium-severity vulnerability in the Gravity SMTP WordPress plugin to steal complete system details, Defiant warns.
Gravity SMTP for WordPress is an email deliverability plugin that integrates with multiple SMTP providers and API-based services to allow admins to send and track emails directly from their websites.
All plugin iterations before version 2.1.5 are affected by a sensitive information exposure vulnerability tracked as CVE-2026-4020 (CVSS score of 5.3) that has been exploited in the wild since early May.
The issue impacts a REST API endpoint that unconditionally returns true, thus becoming accessible to any unauthenticated user. If a specific parameter is appended to a query, the endpoint returns internal connector data in JSON format.
The data contains the full system report, including configuration data such as PHP and WordPress version, loaded extensions, web server details, document root path, database details, active plugins and theme, WordPress configuration details, and configured API keys/tokens.
According to Defiant, the bug exists because the impacted REST API endpoint, registered within a shared library providing a configuration collection system, does not perform authentication or capability checks.
“This makes it possible for unauthenticated attackers to harvest credentials that could be used to send email on behalf of the site, as well as to gather detailed reconnaissance about the site’s software stack that can be leveraged to identify and target other vulnerabilities,” Defiant explains.
The WordPress security firm has observed in-the-wild exploitation of the security defect since early May. Attackers have been sending unauthenticated GET requests to the vulnerable endpoint to retrieve the full System Report JSON object.
In June, Defiant has observed a surge in attacks targeting CVE-2026-4020. To date, the company has blocked over 17 million exploit attempts.
Site owners and administrators are advised to update their Gravity SMTP deployments to version 2.1.5 as soon as possible and to check server access logs for requests to the affected endpoint, as the in-the-wild exploitation does not leave other obvious traces.
“If you are running a vulnerable version of Gravity SMTP and have configured any third-party email integrations (such as Amazon SES, Google, Mailjet, Resend, or Zoho), you should assume the associated API keys, secrets, and OAuth tokens may have been exposed. We strongly recommend rotating these credentials after updating the plugin,” Defiant notes.
Related: Majority of Internet-Accessible REDCap Servers Outdated
Related: 15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown
Related: Joomla, LiteSpeed Vulnerabilities Exploited in Attacks
Related: No Exploits Required
