All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Security
Security
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Mass exploitation of Gravity SMTP WordPress plugin vulnerability steals API keys from 100,000 sites

17d ago· 1 min readenNews

Summary

Hackers are mass-exploiting a vulnerability (CVE-2026-4020) in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites. The flaw, with a CVSS score of 5.3, affects all versions through 2.1.4 and was patched in version 2.1.5 on March 17, 2026. Exploitation began about two months after the patch, suggesting attackers reverse-engineered the fix. The vulnerable REST API endpoint lacks authentication checks, allowing attackers to steal API keys, secrets, and OAuth tokens by triggering a system report. Wordfence has blocked over 17 million exploit attempts since early May 2026.

Source

bskyMass exploitation of Gravity SMTP WordPress plugin vulnerability steals API keys from 100,000 sitesbriefly.co

Key quotes

· 4 pulled
Wordfence reported blocking 17M+ exploit attempts targeting Gravity SMTP since early May 2026
The flaw is tracked as CVE-2026-4020 and has a CVSS score of 5.3
The vulnerable endpoint is /wp-json/gravitysmtp/v1/tests/mock-data, where permission_callback always returns true, so no authentication check occurs
Adding ?page=gravitysmtp-settings triggers register_connector_data() to return about 365 KB of JSON with the full system report, including API keys, secrets, and OAuth tokens
Snippet from the RSS feed
Wordfence reported blocking 17M+ exploit attempts targeting Gravity SMTP since early May 2026, with the plugin installed on about 100,000 WordPress sites. The flaw is tracked as CVE-2026-4020 and has a CVSS score of 5.3. It affects all Gravity SMTP versio

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.