Hackers mass-exploit Gravity SMTP WordPress flaw to steal email API keys
Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.
- Check
- Identify WordPress sites running Gravity SMTP at version 2.1.4 or earlier, and review web server access logs for requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, which indicate attempted or successful data exposure.
- Affected
- WordPress sites running Gravity SMTP through 2.1.4 with email integrations configured (CVE-2026-4020); exposed API keys and OAuth tokens let attackers abuse connected email services and map the site for follow-on attacks.
- Fix
- Update Gravity SMTP to 2.1.5 or later, then assume compromise: rotate all API keys, secrets, and OAuth tokens set in the plugin's email connectors, and block the published attacker IPs.