Mass exploitation of Gravity SMTP WordPress plugin vulnerability steals API keys from 100,000 sites
Summary
Hackers are mass-exploiting a vulnerability (CVE-2026-4020) in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites. The flaw, with a CVSS score of 5.3, affects all versions through 2.1.4 and was patched in version 2.1.5 on March 17, 2026. Exploitation began about two months after the patch, suggesting attackers reverse-engineered the fix. The vulnerable REST API endpoint lacks authentication checks, allowing attackers to steal API keys, secrets, and OAuth tokens by triggering a system report. Wordfence has blocked over 17 million exploit attempts since early May 2026.
Source
Key quotes
· 4 pulledWordfence reported blocking 17M+ exploit attempts targeting Gravity SMTP since early May 2026
The flaw is tracked as CVE-2026-4020 and has a CVSS score of 5.3
The vulnerable endpoint is /wp-json/gravitysmtp/v1/tests/mock-data, where permission_callback always returns true, so no authentication check occurs
Adding ?page=gravitysmtp-settings triggers register_connector_data() to return about 365 KB of JSON with the full system report, including API keys, secrets, and OAuth tokens
You might also wanna read
Analysis of CVE-2026-4020: Coordinated Google Cloud Fleet Exploiting Gravity SMTP WordPress Vulnerability
A detailed technical analysis of CVE-2026-4020, a critical vulnerability in the Gravity SMTP WordPress plugin that exposed sensitive credent
Supply Chain Attack Compromises Official GravityForms Plugin Repository
A supply chain attack compromised the official GravityForms plugin repository, injecting backdoors into legitimate plugin downloads. The bre
Large-Scale Supply Chain Attack: 30 WordPress Plugins Purchased and Backdoored
The article details a large-scale supply chain attack on WordPress plugins where an individual purchased 30 plugins and systematically plant

WAF - WAF Release - 2025-08-04

WAF - WAF Release - 2025-09-29


Comments
Sign in to join the conversation.
No comments yet. Be the first.