More than 17 million exploit attempts have targeted the Gravity SMTP vulnerability, an unauthenticated information disclosure flaw in a WordPress plugin active on 100,000 sites.
CybersecurityJune 19, 2026· 5 min read· By XOOMAR Insights Team
17M Attacks Hammer Gravity SMTP Vulnerability on WordPress
Updated on June 19, 2026
XOOMAR Intelligence
Analyst Take
58/ 100
4 sources analyzedLow confidenceTrend10Freshness99Source Trust88Factual Grounding94Signal Cluster20
The bug, tracked as CVE-2026-4020, affects Gravity SMTP 2.1.4 and older and was fixed in version 2.1.5, released on March 17, according to BleepingComputer. WordPress security firm Defiant says attackers are actively exploiting it, while its Wordfence firewall has blocked the bulk exploitation wave against protected customers.
Hackers target Gravity SMTP vulnerability exposing WordPress site data
The Gravity SMTP vulnerability is rated medium severity, but the rating understates the operational risk for site owners. Attackers don’t need a WordPress account. They can send an unauthenticated GET request to an exposed REST API endpoint and receive a detailed plugin-generated System Report.
The vulnerable endpoint is:
/wp-json/gravitysmtp/v1/tests/mock-data
Researchers say requests are especially suspicious when they include:
?page=gravitysmtp-settings
That query parameter can trigger the plugin to return a large JSON report. Additional technical analysis cited in the source material says the response can be roughly 365 KB, depending on the site and plugin configuration.
The issue stems from a faulty permission_callback that always returns true. In practical terms, the endpoint treats unauthenticated visitors as if they’re allowed to see data that should be restricted.
The exposed information may include:
- API keys, secrets, and OAuth tokens for configured email integrations
- Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho
- WordPress configuration details, including installed plugins, themes, and software versions
- Server and PHP environment information
- Database configuration details, including server version and table names
Wordfence researchers warned that exposure of live third-party API credentials could let attackers abuse connected email services, while the detailed system report can lower the effort needed to plan further attacks against the site.
That’s the core danger. This isn’t just a leak of boring diagnostics. If live mail credentials are present, the attacker may be able to abuse legitimate email services tied to the victim’s site.
A public REST endpoint turns diagnostics into reconnaissance
Gravity SMTP helps WordPress sites send mail through external email providers. That means it often sits near sensitive configuration data for transactional messages, contact forms, account emails, and other site communications.
The vulnerable code path exposed a system report. For defenders, that report is a troubleshooting artifact. For attackers, it’s a map.
| Exposed data | Why it matters |
|---|---|
| Email API keys and OAuth tokens | May let attackers abuse connected sending services |
| SMTP or third-party mail credentials | Can expose the site’s sender infrastructure |
| Active plugins and versions | Helps attackers identify follow-on targets |
| PHP, server, and database details | Narrows reconnaissance for later attacks |
| Database table names | Gives attackers more context for site structure |
CVE-2026-4020 is classified as CWE-200, exposure of sensitive information to an unauthorized actor, according to the supplied technical context. The attack vector is network-based and requires no privileges or user interaction.
That matters because the vulnerable path is predictable. Attackers can scan for WordPress sites running Gravity SMTP and probe the endpoint directly. If the site is still on 2.1.4 or older, and the conditions are present, the endpoint can leak configuration data before the site owner sees any visible sign of compromise.
XOOMAR has tracked other security stories where exposed credentials or trusted software channels created outsized risk, including 74,000 Fortinet Logins Spill in FortiBleed Data Leak and Paid ShapedPlugin Updates Smuggle Malware Into WordPress. The common lesson for administrators is narrow but practical: secrets inside infrastructure tools should be treated as production assets, not settings-page clutter.
17 million blocked attempts put WordPress admins under pressure
Wordfence says exploitation activity spiked on June 7, when it blocked 4 million requests in a single day. Similar activity continued for several days afterward.
That scale points to automated exploitation, not one-off probing. The Gravity SMTP vulnerability is easy to test for, and the endpoint path gives defenders a clear log artifact to hunt.
Administrators should check web server access logs for requests to:
/wp-json/gravitysmtp/v1/tests/mock-data
Requests that also include ?page=gravitysmtp-settings deserve special attention. The source material identifies that pattern as a key indicator of compromise.
If suspicious requests appear, site owners should assume any data exposed through the Gravity SMTP system report may have been accessed. That means reviewing and rotating potentially exposed SMTP credentials, API keys, OAuth tokens, and related email-service secrets.
The immediate fix is clear: update Gravity SMTP to version 2.1.5 or later. Wordfence also listed prolific source IP addresses for exploit requests, which administrators can add to blocklists. But static IP blocking is not enough by itself, since the reliable detection signal is the endpoint path and request pattern.
Avada Builder warning shows WordPress plugin risk is stacking up
The Gravity SMTP campaign landed as Wordfence issued a separate advisory about CVE-2026-8713, a critical unauthenticated arbitrary file-deletion flaw in the Avada Builder WordPress plugin, used on one million sites.
That flaw is different. It involves a path traversal issue and can allow attackers to delete arbitrary files if a published Avada form is configured to save submissions to the database. Deleting critical files such as wp-config.php can revert a site to its initial setup state, potentially leading to full site takeover and remote code execution.
Wordfence says it has not observed active exploitation of CVE-2026-8713 yet. The recommended Avada Builder upgrade target is version 3.15.4.
For Gravity SMTP, the watch item is narrower and more urgent: whether the exploitation wave continues to find unpatched 2.1.4 and older installations. Admins should patch, inspect logs for the endpoint, and rotate exposed mail credentials where access is suspected. If attackers already pulled the system report, updating the plugin closes the hole, but it doesn’t make leaked secrets private again.
Impact Analysis
- Attackers can access sensitive WordPress and email integration data without logging in.
- More than 17 million exploit attempts show the bug is being targeted at scale.
- Site owners running Gravity SMTP 2.1.4 or older should update to 2.1.5 immediately.
Gravity SMTP Vulnerability Status
| Item | Vulnerable | Fixed/Safer |
|---|---|---|
| Gravity SMTP version | 2.1.4 and older | 2.1.5 |
| Release status | Affected by CVE-2026-4020 | Patched on March 17 |
| Access requirement | Unauthenticated REST API request can expose data | Endpoint permission issue fixed |
Gravity SMTP Exploitation Scale
Exploit attempts
count17,000,000
Active sites using plugin
count100,000
Sources
Written by
XOOMAR Insights Team
Research and Editorial Desk
The XOOMAR Insights Team pairs automated research with human editorial judgment. We track hundreds of sources across technology, fintech, trading, SaaS, and cybersecurity, cross-check the facts, and explain what happened, why it matters, and what to watch next. We do not just rewrite headlines. Every article is fact-checked and scored for reliability before it goes live, and we link back to the original sources so you can verify anything yourself.
Explore More Topics
Related Articles
CybersecurityPaid ShapedPlugin Updates Smuggle Malware Into WordPress
ShapedPlugin's trusted Pro update channel shipped malware to paying WordPress users, stealing credentials and enabling remote file writes.
Jun 19, 20266 min
CybersecurityPolice Rip SocGholish Malware From 14,971 WordPress Sites
Police cleaned SocGholish from 14,971 WordPress sites and seized 106 servers, cutting a major Evil Corp infection chain.
Jun 18, 20266 min
CybersecurityKlue OAuth Breach Lets Icarus Raid Salesforce Data
Attackers abused Klue OAuth tokens to raid Salesforce data at speed, turning trusted SaaS access into an extortion path.
Jun 19, 202611 min
Cybersecurity30 Silent Fixes Drag Claude Code Into a CISO Patch Crisis
Claude Code's 30-plus quiet fixes show AI agent updates are becoming a security risk CISOs can't treat like ordinary patches.
Jun 17, 20269 min
CybersecurityChrome Zero-Day Lets Attackers Run Code, Patch Now
Google patched an exploited Chrome zero-day in V8. Desktop users need version 149.0.7827.103 and a full browser relaunch now.
Jun 15, 20265 min
SaaS & ToolsLow-Traffic Web Hosting Traps Quietly Drain Budgets
Most low-traffic business sites need reliable basics, not pricey cloud plans. The real risk is overbuying before visitors arrive.
Jun 19, 202620 min
TradingSchwab Pulls Prediction Markets Into S&P 500 Cash Bets
Schwab's planned S&P 500 event contracts could pull prediction-style wagers into mainstream brokerage accounts.
Jun 19, 20267 min
FintechNatWest AI Jobs Warning Throws 60,000 Bank Roles Into Doubt
NatWest’s CEO says AI will deliver some roles that exist today, putting its 60,000-person workforce under a harsher spotlight.
Jun 19, 20268 min
Global TrendsBedford Train Collision Derails Commute, Injures Passengers
Two trains collided near Bedford, injuring passengers, derailing a carriage and shutting the Luton to Bedford line during the commute.
Jun 19, 20266 min
TechnologyCheaper Chinese AI Models Steal Enterprise AI Spend
Enterprises are routing AI workloads to cheaper Chinese models as token billing turns agent workflows into a budget problem.
Jun 19, 20268 min
Don't miss the signal
Get our weekly roundup of the stories that matter across tech, fintech, and trading. No noise, just signal.
Free forever. No spam. Unsubscribe anytime.