Hackers Exploit Critical WordPress Plugin Flaw to Hijack Email Settings

A critical vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020, is being actively exploited by attackers targeting approximately 100,000 websites. The flaw allows unauthenticated users to access sensitive configuration data including API keys, credentials, and secret tokens used for the plugin's email functionality. The vulnerability exists because an endpoint in the plugin's REST API at /wp-json/gravitysmtp/v1/tests/mock-data is publicly accessible without any authentication checks. When attackers append the query parameter "?page=gravitysmtp-settings" to requests, the plugin responds with a comprehensive 365 KB system report containing valuable information about the site's configuration and infrastructure.

The security implications of this vulnerability are significant. Exposed API credentials could allow attackers to abuse the compromised site's email services for spam campaigns or phishing attacks. Additionally, the detailed system reports provide attackers with extensive reconnaissance data about the target's software stack, making it considerably easier to plan and execute follow-up attacks. According to Wordfence, the severity of the risk depends heavily on what specific information gets leaked, but sites with live third-party API integrations face the most immediate danger.

Wordfence has documented an alarming escalation in exploitation attempts, having blocked over 17 million malicious requests targeting CVE-2026-4020. The attacks began in early May 2026 but intensified dramatically around June 6, 2026, with activity peaking at over 4 million requests in a single day. The plugin developers have released version 2.1.5 to patch this vulnerability, and immediate action is critical for site administrators still running older versions.

Website owners using vulnerable versions of Gravity SMTP with third-party email integrations should operate under the assumption that their systems have been compromised. The recommended response includes immediately updating to version 2.1.5 or later, rotating all API keys and credentials associated with email services, and conducting a thorough review of server logs to identify any suspicious requests to the vulnerable endpoint. Organizations should specifically look for requests from the IP addresses associated with the attack campaign to determine if they were successfully targeted.

Stay secure — stay Wavasec. 🔐