Sensitive Information Exposure in Gravity SMTP Plugin for WordPress
CVE-2026-4020

7.5HIGH

Key Information:

Vendor

WordPress
Status
Gravity Smtp
Vendor
CVE Published:
31 March 2026

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2026-4020?

The Gravity SMTP plugin for WordPress contains a vulnerability that allows unauthenticated visitors to access sensitive system configuration data through a REST API endpoint. Specifically, the endpoint at /wp-json/gravitysmtp/v1/tests/mock-data can be exploited due to a permission callback that always returns true. By appending the ?page=gravitysmtp-settings query parameter, attackers can retrieve approximately 365 KB of JSON data, revealing critical information such as the PHP version, loaded extensions, web server version, document root, database server details, active plugins, active theme, WordPress configuration, database table names, and any API keys or tokens configured within the plugin. This exposure can significantly increase the risk of targeted attacks on affected systems.

Affected Version(s)

Gravity SMTP 0 <= 2.1.4

News Articles

favicon imageThe Hacker News

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Attackers are exploiting CVE-2026-4020 in Gravity SMTP to leak API keys, OAuth tokens, and system data from WordPress sites.

1 day ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://www.gravityforms.com/gravity-smtp/
https://plugins.trac.wordpress.org/browser/gravitysmtp/tr...

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Osvaldo Noe Gonzalez Del Rio
.