A WordPress REST API misconfiguration in Gravity SMTP exposes email service credentials and server details to unauthenticated attackers, with security firm Wordfence blocking 17 million exploitation attempts across 100,000 affected sites since the vulnerability disclosure in March, according to BleepingComputer.
TL;DR: Gravity SMTP versions 2.1.4 and older leak API keys, OAuth tokens, and server configuration data through an unprotected REST endpoint; version 2.1.5 patches the flaw but agencies managing client portfolios need immediate audit and update sweeps.
The vulnerability, tracked as CVE-2026-4020 with a medium severity rating, allows attackers to retrieve a complete system report containing API keys, OAuth tokens for Amazon SES, Google, Mailjet, Resend, and Zoho email integrations, plus WordPress configuration details including installed plugins, themes, software versions, and database structure. Defiant, the company behind Wordfence, confirmed active exploitation began in early June with a sharp escalation on June 7 when the firewall blocked 4 million requests in a single day.
What the Vulnerability Exposes
The flaw stems from an exposed REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data where the permission callback function returns true for all requests, bypassing WordPress authentication entirely. Any attacker with network access to a vulnerable site can send an unauthenticated GET request and receive a JSON-formatted system report.
The exposed data includes live credentials for third-party email services configured through Gravity SMTP, allowing attackers to impersonate the compromised site in email campaigns or pivot those credentials to related infrastructure. "The exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site," Wordfence researchers warned in a June 19 advisory.
Server environment details—PHP version, installed extensions, database server version, table names—give attackers a complete inventory of the software stack and potential secondary vulnerabilities. For agencies managing multiple client sites with Gravity SMTP, a single successful exploit reveals the configuration fingerprint attackers need to target additional properties in the portfolio.
Exploitation Timeline and Indicators of Compromise
Wordfence recorded the first large-scale exploitation wave on June 7, 2026, with 4 million blocked requests. Similar volumes persisted for several days afterward, suggesting coordinated scanning across the plugin's install base. The security firm published a list of the most prolific source IP addresses for exploit attempts, which site administrators should add to firewall blocklists.
Website administrators can detect compromise by searching web server access logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, particularly those including the ?page=gravitysmtp-settings query parameter. Successful exploit attempts leave no modification traces inside WordPress—the attacker retrieves data but doesn't alter files or database records—making log analysis the primary detection method.
For agencies running white-label WordPress security baselines across client portfolios, this attack pattern highlights the gap between configuration audits and runtime API surface monitoring. Standard hardening checklists focus on user authentication, file permissions, and plugin update cadences but rarely test whether REST endpoints enforce permission callbacks correctly.
Remediation Steps
Gravity SMTP version 2.1.5, released March 17, 2026, fixes CVE-2026-4020 by enforcing proper authentication on the vulnerable REST endpoint. Sites running version 2.1.4 or older must update immediately. Agencies managing client sites should audit every WordPress installation for Gravity SMTP and force the update through whatever deployment pipeline they use—WP-CLI, MainWP, ManageWP, or manual SSH access.
After patching, administrators should rotate all email service API keys and OAuth tokens configured in Gravity SMTP. Because the vulnerability allows unauthenticated credential harvesting, any keys present in the system before June 7 should be considered exposed. Third-party email service dashboards for Amazon SES, Google Workspace, Mailjet, Resend, and Zoho typically provide audit logs showing API usage patterns; unusual sending volumes or geographic origins indicate compromised credentials.
The same June 19 Wordfence advisory warned of a separate critical vulnerability in the Avada Builder plugin (CVE-2026-8713, affecting one million sites) that allows unauthenticated attackers to delete arbitrary files including wp-config.php, potentially leading to full site takeover. No active exploitation has been observed yet, but agencies should prioritize Avada Builder updates to version 3.15.4 alongside the Gravity SMTP patch sweep.
Context and Outlook
The Gravity SMTP vulnerability fits a recurring pattern in WordPress plugin security where developer convenience features—exposed REST endpoints, permissive permission callbacks, debug modes left active in production—create unauthenticated information disclosure paths. Similar flaws disclosed in 2026 include Gravity Forms file deletion, Kirki admin account hijacking, and Everest Forms Pro privilege escalation. The common thread: REST API endpoints that either skip authentication checks or implement callbacks that always return true.
For agencies scaling white-label WordPress capacity, this incident reinforces the need for automated plugin update pipelines and centralized credential management. A single developer installing Gravity SMTP on a staging site, configuring live SendGrid API keys for email testing, then pushing that configuration to production creates exposure across every property sharing that SendGrid account. Role-scoped credential stores and environment-specific API keys prevent lateral movement when a single site is compromised.
The 17 million blocked exploit attempts Wordfence recorded represent only protected sites. Unprotected installations running vulnerable versions since March have had three months of exposure, with credential harvesting leaving no audit trail inside WordPress itself. Agencies should assume any Gravity SMTP installation that wasn't patched by mid-March has leaked credentials and plan accordingly—full key rotation, email service access log review, and secondary authentication checks on any integrated services.