Attackers have discovered a flaw in the Gravity SMTP WordPress plugin that allows them to pull a full system report without any authentication. The vulnerability, identified as CVE-2026-4020, was first publicly disclosed on March 30th and is present in all versions up to and including 2.1.4.

The flaw stems from an improperly secured REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data. The endpoint’s permission callback always returns true, which means every visitor can access the route. When a request includes the query parameter page=gravitysmtp-settings, the plugin populates internal connector data and responds with roughly 365 KB of JSON that contains the site’s entire System Report.

That report is more than just a list of PHP versions or server names. It details the WordPress core version, active plugins and their versions, the current theme, database server type and version, loaded extensions, document root path, and—critically—the API keys, secrets and OAuth tokens for all email integrations configured in Gravity SMTP. Attackers can therefore harvest credentials to send spam or use other services on behalf of the compromised site.

Exploitation is trivial: a single unauthenticated GET request to /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings returns the entire report. An example payload looks like this:

GET /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Wordfence’s firewall identified the malicious pattern and blocked every attempt that did not originate from an authenticated administrator. Since the first detection on May 5th, Wordfence Premium, Care and Response users have had a dedicated rule to stop this traffic, while free‑tier sites received the same protection on June 4th.

To date Wordfence has blocked more than 17 million exploit attempts. The attack wave peaked between June 7th and June 11th when over four million requests were intercepted each day. The most frequent attackers are identified by IP:

• 45[.]148[.]10[.]95
• 193[.]32[.]162[.]60
• 176[.]65[.]148[.]139
• 173[.]199[.]90[.]188
• 45[.]148[.]10[.]120
• 185[.]8[.]107[.]155
• 185[.]8[.]106[.]37
• 185[.]8[.]106[.]92
• 185[.]8[.]106[.]145
• 176[.]65[.]148[.]30

Because the vulnerability does not modify site files, it leaves little forensic evidence. Security teams should scan web‑server logs for any requests to /wp-json/gravitysmtp/v1/tests/mock-data that include page=gravitysmtp-settings and cross‑reference the source IPs above.

This advisory is based on data collected from the Wordfence Intelligence database and external threat monitoring. The full report, including source code analysis, can be accessed through the sanitized URLs below:

• hxxps://o[.]tx.[a]lienvault.com/pulse/6a3a29c60285fd4a59c900bc
• hxxps://w[.]ordfence[.]com/b[.]lg/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/

Cyber‑criminal forums and hack‑tactics groups have already shared scripts that automate the discovery of this endpoint on WordPress installations worldwide. If attackers gain access to sensitive API keys, they can use them to conduct large‑scale phishing campaigns or siphon data from other services linked through the same credentials. The exposure also enables targeted attacks against plugins that rely on the same configuration collection system, potentially widening the attack surface.

For sites that suspect credential compromise, Wordfence Care offers incident response services with 24/7 availability. Wordfence Response can clean a compromised site within one hour and provide forensic support.

WordPress site owners must act quickly. Unpatched plugins combined with exposed credentials create a perfect storm for phishing, spam‑sending abuse and further exploitation of the underlying platform.