Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: gravity-smtp (1 article)Clear

Hackers mass-exploit Gravity SMTP WordPress flaw to steal email API keys

Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.

Check
Identify WordPress sites running Gravity SMTP at version 2.1.4 or earlier, and review web server access logs for requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, which indicate attempted or successful data exposure.
Affected
WordPress sites running Gravity SMTP through 2.1.4 with email integrations configured (CVE-2026-4020); exposed API keys and OAuth tokens let attackers abuse connected email services and map the site for follow-on attacks.
Fix
Update Gravity SMTP to 2.1.5 or later, then assume compromise: rotate all API keys, secrets, and OAuth tokens set in the plugin's email connectors, and block the published attacker IPs.