Emerging Threats

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Analyst 207||Source: TheHackerNews
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Wordfence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date.

CVE-2026-4020 and the Gravity SMTP plugin

A medium-severity information disclosure vulnerability affecting the Gravity SMTP WordPress plugin — installed on about 100,000 sites — was assigned CVE-2026-4020 and carries a CVSS score of 5.3. The vendor published a patch in version 2.1.5; security telemetry shows threat actors raced to exploit the flaw before and after that update became available.

How the bug works: the REST endpoint and the query parameter

Wordfence describes the root cause plainly: "This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it." When an unauthenticated HTTP GET request includes the "?page=gravitysmtp-settings" query parameter, the plugin's register_connector_data() method populates internal connector data and the endpoint returns roughly 365 KB of JSON identified as the full System Report.

Data exposed — API keys, system details, and practical risk

The JSON payload returned by the vulnerable endpoint contains a broad inventory of system and configuration details. According to the reporting, exposed items include:

  • PHP version and loaded extensions
  • Web server version and document root path
  • Database server type and version, and database table names
  • WordPress version, all active plugins with versions, and the active theme
  • WordPress configuration details
  • API keys and tokens configured for the plugin’s email integrations — examples named include Amazon SES, Google, Mailjet, Resend, and Zoho

Wordfence summarized the operational risk: "In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site." The exposed credentials could be used to send email on behalf of the site, and the system inventory lowers the barrier for follow‑on intrusions.

Scale and observed attacker behavior

Exploit activity began at the start of May 2026 and escalated in early June. Wordfence telemetry shows a dramatic spike around June 6, 2026, with activity "touching a high of over 4,000,000 requests a day later." To date, more than 17 million exploit attempts have been blocked.

The attempts have come from a discrete set of IP addresses identified in the reporting. Security teams should be aware of the following sources named in Wordfence telemetry:

  • 45.148.10.95
  • 193.32.162.60
  • 176.65.148.139
  • 173.199.90.188
  • 45.148.10.120
  • 185.8.107.155
  • 185.8.106.37
  • 185.8.106.92
  • 185.8.106.145
  • 176.65.148.30

The exploit pattern reported is straightforward: unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the "?page=gravitysmtp-settings" parameter, causing the server to return the system report without authentication.

What this means for site owners, security teams, and third‑party email providers

Site owners running a vulnerable version of the Gravity SMTP plugin and who have configured third‑party email integrations should assume compromise, the advisory states. The concrete steps called for in the reporting are simple and immediate: update the plugin to version 2.1.5, then rotate any credentials used by those integrations.

Security teams should review server logs for requests to /wp-json/gravitysmtp/v1/tests/mock-data, specifically those that include the ?page=gravitysmtp-settings query parameter, and check for access from the IP addresses listed above. Blocking or otherwise mitigating traffic from those IPs and searching historical logs for signs of exfiltration are the direct, named actions highlighted in the source material.

Third‑party email providers and services referenced by the exposed credentials (Amazon SES, Google, Mailjet, Resend, Zoho, among others named in the report) are implicated by the possibility that API keys may have been stolen and used to send mail. The advisory’s central warning — that live third‑party API credentials could be abused to send email on behalf of the site — is the principal operational concern for those services and their customers.

Gravity SMTP has released a patch in version 2.1.5; however, the record is clear that exploitation was widespread and automated at scale before and after the patch. Site operators who delay updating and rotating credentials will have to contend with both the immediate risk of abused email integrations and the residual threat that the detailed system report provides to attackers planning follow‑on compromises.

https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html

Emerging ThreatsVulnerabilityWordpressInformation DisclosureAPI Key ExposureREST APIGravity SMTPCVE-2026-4020Plugin Exploit
Related Intelligence

Continue Reading

Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207
Server room with equipment racks, cables, and blurred monitors.

Klue OAuth Breach Expands as Icarus Hackers Claim Multiple Victims

Klue's CEO Jason Smith revealed that on June 12, unauthorized activity was detected in their integration infrastructure, prompting a thorough investigation with cybersecurity experts to understand the breach and support affected customers. The incident allowed hackers to steal OAuth tokens through a compromised legacy credential, impacting connections to third-party platforms like Salesforce.

Analyst 207
Cluttered office desk with laptop showing empty interface, symbolizing WordPress site vulnerability.

Hackers Exploit Gravity SMTP Plugin Bug on 100,000 WordPress Sites

A critical bug in the Gravity SMTP plugin is being exploited by hackers on over 100,000 WordPress sites, putting sensitive information at risk. Update to version 2.1.5 or later to patch the vulnerability.

Analyst 207
Cluttered office workstation with laptop and security software dashboard.

Gentlemen Ransomware Targets 400 Security Processes with GentleKiller EDR Framework

Meet GentleKiller, a sophisticated EDR-killer framework used by The Gentlemen ransomware-as-a-service operation to evade detection by targeting 400 security processes from 48 distinct programs. This framework comes in eight variants, each designed to mimic a legitimate product and exploit a vulnerable driver.

Analyst 207