Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys Vulnerability (CVE-2026-4020)

The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The issue is tracked as CVE-2026-4020, CVE-2026-8713. The exposed information may contain: - API keys, secrets, and OAuth tokens for configured email integrations - Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho - WordPress configuration details, including installed plugins, themes, and software versions - Server and PHP environment information - Database configuration details, including server version and table names Despite its medium-severity rating, the CVE-2026-4020 vulnerability can be exploited without authentication, and the exposed information can be used to steal email service credentials.

The Vulnerability

“In this case, the exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site.” A patch for the vulnerability has been released in version 2.1.5 of the plugin.

Further details indicate that this vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server through a path traversal flaw, provided a published Avada form is configured to save submissions to the database.

Wordfence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date, with initial activity commencing at the start of May 2026 before spiking up dramatically around June 6, 2026, touching a high of over 4,000,000 requests a day later.

No active exploitation of CVE-2026-8713 has been observed yet, but this is a good candidate, so quick action is advised.

“This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it,”, Spokesperson

Technical Details

CVEs:

• CVE-2026-4020

• CVE-2026-8713

From a technical standpoint, the vulnerability presents several concerns:

It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that’s installed on about 100,000 sites.

The exploit efforts have originated from the following IP addresses - - 45.148.10.95 - 193.32.162.60 - 176.65.148.139 - 173.199.90.188 - 45.148.10.120 - 185.8.107.155 - 185.8.106.37 - 185.8.106.92 - 185.8.106.145 - 176.65.148.30 Site owners running a vulnerable version of the Gravity SMTP plugin and have configured third-party email integrations should assume compromise, and rotate the credentials after updating the plugin to the latest version as soon as possible.

Risk & Exposure

It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17. Bad actors have already pounced on the defect by sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the “?page=gravitysmtp-settings” query parameter, causing the server to return valuable information about the site without requiring any authentication.

Timeline

| Date | Event | |, , |, , -| | 2026 | The exposed information may contain: - API keys, secrets, and OAuth tokens for configured email integrations - Creden… | | 2026 | This vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server throug… |

Patching & Remediation

1. The company’s Wordfence firewall has blocked more than 17 million attempts against protected customers.

2. Wordfence says exploitation activity spiked on June 7, with 4 million requests being blocked that day.

3. The security firm listed the most prolific source IP addresses for exploit requests, which website administrators should add to their blocklists.

4. This vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server through a path traversal flaw, provided a published Avada form is configured to save submissions to the database.

5. The issue was fixed in version 3.15.4, which is the recommended upgrade target for website administrators.

6. No active exploitation of CVE-2026-8713 has been observed yet, but this is a good candidate, so quick action is advised.

Analysis

This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.

Sources

1. https://nvd.nist.gov/vuln/detail/CVE-2026-4020
2. https://nvd.nist.gov/vuln/detail/CVE-2026-8713
3. https://www.cve.org/CVERecord?id=CVE-2026-4020
4. https://www.cve.org/CVERecord?id=CVE-2026-8713