Sensitive Information Exposure in Gravity SMTP Plugin for WordPress
CVE-2026-4020

7.5HIGH

Key Information:

Vendor

WordPress

Vendor
CVE Published:
31 March 2026

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 39%πŸ“° News Worthy

What is CVE-2026-4020?

The Gravity SMTP plugin for WordPress contains a vulnerability that allows unauthenticated visitors to access sensitive system configuration data through a REST API endpoint. Specifically, the endpoint at /wp-json/gravitysmtp/v1/tests/mock-data can be exploited due to a permission callback that always returns true. By appending the ?page=gravitysmtp-settings query parameter, attackers can retrieve approximately 365 KB of JSON data, revealing critical information such as the PHP version, loaded extensions, web server version, document root, database server details, active plugins, active theme, WordPress configuration, database table names, and any API keys or tokens configured within the plugin. This exposure can significantly increase the risk of targeted attacks on affected systems.

Affected Version(s)

Gravity SMTP 0 <= 2.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Attackers are exploiting CVE-2026-4020 in Gravity SMTP to leak API keys, OAuth tokens, and system data from WordPress sites.

3 weeks ago

References

EPSS Score

39% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio
.