Sensitive Information Exposure in Gravity SMTP Plugin for WordPress
CVE-2026-4020
Key Information:
- Vendor
WordPress
- Status
- Vendor
- CVE Published:
- 31 March 2026
Badges
What is CVE-2026-4020?
The Gravity SMTP plugin for WordPress contains a vulnerability that allows unauthenticated visitors to access sensitive system configuration data through a REST API endpoint. Specifically, the endpoint at /wp-json/gravitysmtp/v1/tests/mock-data can be exploited due to a permission callback that always returns true. By appending the ?page=gravitysmtp-settings query parameter, attackers can retrieve approximately 365 KB of JSON data, revealing critical information such as the PHP version, loaded extensions, web server version, document root, database server details, active plugins, active theme, WordPress configuration, database table names, and any API keys or tokens configured within the plugin. This exposure can significantly increase the risk of targeted attacks on affected systems.
Affected Version(s)
Gravity SMTP 0 <= 2.1.4
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Attackers are exploiting CVE-2026-4020 in Gravity SMTP to leak API keys, OAuth tokens, and system data from WordPress sites.
3 weeks ago
References
EPSS Score
39% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
- π°
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved