Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys Vulnerability (CVE-2026-4020)
Key Facts
- The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens configured for the plugin's email integrations.
- The exposed information may contain: - API keys, secrets, and OAuth tokens for configured email integrations - Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho - WordPress configuration details, including installed plugins, themes, and software versions - Server and PHP environment information - Database configuration details, including server version and table names Despite its medium-severity rating, the CVE-2026-4020 vulnerability can be exploited without authentication, and the exposed information can be used to steal email service credentials.
- "In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site." A patch for the vulnerability has been released in version 2.1.5 of the plugin.
- This vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server through a path traversal flaw, provided a published Avada form is configured to save submissions to the database.
- Wordfence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date, with initial activity commencing at the start of May 2026 before spiking up dramatically around June 6, 2026, touching a high of over 4,000,000 requests a day later.
- No active exploitation of CVE-2026-8713 has been observed yet, but this is a good candidate, so quick action is advised.
- The flaw is tracked as CVE-2026-4020 and received a medium severity rating.
- It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.
- Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites.
- The exploit efforts have originated from the following IP addresses - - 45.148.10.95 - 193.32.162.60 - 176.65.148.139 - 173.199.90.188 - 45.148.10.120 - 185.8.107.155 - 185.8.106.37 - 185.8.106.92 - 185.8.106.145 - 176.65.148.30 Site owners running a vulnerable version of the Gravity SMTP plugin and have configured third-party email integrations should assume compromise, and rotate the credentials after updating the plugin to the latest version as soon as possible.
The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The issue is tracked as CVE-2026-4020, CVE-2026-8713. The exposed information may contain: - API keys, secrets, and OAuth tokens for configured email integrations - Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho - WordPress configuration details, including installed plugins, themes, and software versions - Server and PHP environment information - Database configuration details, including server version and table names Despite its medium-severity rating, the CVE-2026-4020 vulnerability can be exploited without authentication, and the exposed information can be used to steal email service credentials.
The Vulnerability
“In this case, the exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site.” A patch for the vulnerability has been released in version 2.1.5 of the plugin.
Further details indicate that this vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server through a path traversal flaw, provided a published Avada form is configured to save submissions to the database.
Wordfence has blocked more than 17 million exploit attempts targeting CVE-2026-4020 to date, with initial activity commencing at the start of May 2026 before spiking up dramatically around June 6, 2026, touching a high of over 4,000,000 requests a day later.
No active exploitation of CVE-2026-8713 has been observed yet, but this is a good candidate, so quick action is advised.
“This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it,”, Spokesperson
Technical Details
CVEs:
From a technical standpoint, the vulnerability presents several concerns:
It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that’s installed on about 100,000 sites.
The exploit efforts have originated from the following IP addresses - - 45.148.10.95 - 193.32.162.60 - 176.65.148.139 - 173.199.90.188 - 45.148.10.120 - 185.8.107.155 - 185.8.106.37 - 185.8.106.92 - 185.8.106.145 - 176.65.148.30 Site owners running a vulnerable version of the Gravity SMTP plugin and have configured third-party email integrations should assume compromise, and rotate the credentials after updating the plugin to the latest version as soon as possible.
Risk & Exposure
It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17. Bad actors have already pounced on the defect by sending unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the “?page=gravitysmtp-settings” query parameter, causing the server to return valuable information about the site without requiring any authentication.
Timeline
| Date | Event | |, , |, , -| | 2026 | The exposed information may contain: - API keys, secrets, and OAuth tokens for configured email integrations - Creden… | | 2026 | This vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server throug… |
Patching & Remediation
-
The company’s Wordfence firewall has blocked more than 17 million attempts against protected customers.
-
Wordfence says exploitation activity spiked on June 7, with 4 million requests being blocked that day.
-
The security firm listed the most prolific source IP addresses for exploit requests, which website administrators should add to their blocklists.
-
This vulnerability is identified as CVE-2026-8713 and allows attackers to delete arbitrary files on the server through a path traversal flaw, provided a published Avada form is configured to save submissions to the database.
-
The issue was fixed in version 3.15.4, which is the recommended upgrade target for website administrators.
-
No active exploitation of CVE-2026-8713 has been observed yet, but this is a good candidate, so quick action is advised.
Analysis
This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.
Sources
Sources & References
- CVE-2026-4020 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-4020
- CVE-2026-8713 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-8713
- CVE-2026-4020 — Google advisory. https://www.cve.org/CVERecord?id=CVE-2026-4020
- CVE-2026-8713 — Google advisory. https://www.cve.org/CVERecord?id=CVE-2026-8713
- CVE-2026-4020 — National Vulnerability Database
- CVE-2026-8713 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer Vulnerability
"Credentials accessible from a developer or administrator workstation may provide entry into production infrastructure, build pipelines, source code...
Vulnerabilities & ExploitsCritical Gitea Flaw Under Active Exploitation, Researchers Warn Vulnerability (CVE-2026-20896)
Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with...
Vulnerabilities & ExploitsCisco Unified CM Flaw CVE-2026-20230 Actively Exploited in the Wild Vulnerability
Cisco Unified Communications Manager has a serious vulnerability, tracked as CVE-2026-20230 (CVSS score of 8.6), that attackers are already exploiting. The...
Vulnerabilities & ExploitsPalo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw Vulnerability
"Only a small portion of the probed devices actually established VPN sessions, resulting in gateway-connected events." The company has also released...