Hackers Actively Exploit WordPress SMTP Plugin for Data Access

A sensitive information exposure flaw within the Gravity SMTP WordPress plugin is currently under active exploitation. Threat actors are aggressively targeting over 100,000 sites to harvest critical configuration data and live email credentials.

The vulnerability, tracked as CVE‑2026‑4020 and rated 5.3 (Medium), affects all Gravity SMTP versions up to and including 2.1.4 and is now under mass exploitation by distributed IP infrastructure across multiple regions.

The vendor quietly shipped a fix on March 17, 2026, with Gravity SMTP version 2.1.5, but public disclosure followed on March 30, 2026, leaving a large population of lagging sites exposed during the intervening weeks.

At the core of the issue is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission callback that unconditionally returns true, meaning the endpoint performs no authentication or capability checks and is reachable by any unauthenticated visitor.

When a request appends the page=gravitysmtp-settings query parameter, the plugin’s configuration collection logic loads its internal connector data. It returns a roughly 365 KB JSON “System Report” containing extensive system and plugin metadata.

This System Report exposes PHP version and extensions, web server version and document root, database type and version, WordPress version and configuration details, the active theme, the list of all active plugins with versions, and internal database table names.

Critically, it also includes any API keys, secrets, and OAuth tokens configured for Gravity SMTP’s email integrations, including providers such as Amazon SES, Google, Mailjet, Resend, and Zoho, giving attackers everything they need to send email through legitimate channels owned by the victim.

This combination of rich reconnaissance and credential exposure significantly lowers the effort required to chain additional vulnerabilities or pivot into broader account compromise.

Hackers Exploit WordPress SMTP Plugin

Exploitation is trivial: an attacker only needs to send a single unauthenticated GET request such as GET /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings HTTP/1.1 and parse the resulting JSON.

Because no authentication, CSRF protection, or capability checks are enforced on the endpoint, this pattern lends itself perfectly to automated internet‑wide scanning and harvesting, and exploit templates are already available in public tooling ecosystems like Nuclei.

Wordfence reports the Gravity SMTP flaw is now seeing widespread exploitation, with over 17 million blocked attack attempts and a major surge in activity between June 7–11, 2026, reaching several million requests per day.

CrowdSec likewise reports at least 412 distinct attacking IPs between May 27 and June 1, 2026, with top activity associated with cloud and hosting geographies rather than a single localized cluster.

Among the most aggressive sources observed hammering the vulnerable mock‑data endpoint are IPs such as 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30, each responsible for hundreds of thousands of blocked requests.

These addresses appear tied to high‑volume scanning infrastructure rather than to ordinary residential users, reinforcing the idea that exploitation is largely automated and opportunistic.

However, defenders should treat this list as indicative, not exhaustive, because new IPs are continuously joining the attack surface as scripts propagate and additional botnets incorporate the CVE‑2026‑4020 checks into their routines.

Detecting exploitation is challenging because the vulnerability is read‑only and does not directly modify site content, users, or files.

As a result, traditional compromise indicators like new administrator accounts or dropped webshells may be absent even when credentials have already been stolen.

Administrators should instead review web server access logs for any hits to /wp-json/gravitysmtp/v1/tests/mock-data, especially requests containing page=gravitysmtp-settings, and correlate them with timestamps, user agents, and known malicious IPs, such as those listed above.

Large 365 KB JSON responses from that path are strong evidence that the system report has been retrieved at least once.

Remediation Steps

Mitigation requires a combination of patching, credential rotation, and network‑level hardening. Site owners must upgrade Gravity SMTP to version 2.1.5 or later, which addresses the insecure REST API behavior.

Because there is no reliable way to prove that credentials were not accessed once a site ran a vulnerable version, all API keys, secrets, and OAuth tokens associated with Amazon SES, Google, Mailjet, Resend, Zoho, or other connected providers should be rotated immediately after patching.

Additionally, security teams should consider blocking unauthenticated access to /wp-json/gravitysmtp/v1/tests/mock-data via web server configuration or Web Application Firewall rules, and, where feasible, constraining REST API access to trusted IP ranges.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.