Gravity SMTP Plugin Flaw Exposes API Keys on 100,000 Sites

Your Email Plugin Just Leaked Your API Keys

If you’re using the Gravity SMTP plugin on your WordPress site, you need to stop what you’re doing and update it right now. Regarding Gravity SMTP vulnerability, Hackers are actively exploiting a security flaw that’s exposing API keys, email credentials, and detailed information about your site’s setup. This isn’t theoretical. It’s happening to real sites as you read this.

The vulnerability affects Gravity SMTP, a popular email plugin installed on roughly 100,000 WordPress sites. Attackers have already launched over 17 million exploit attempts since early May 2026, according to security researchers at Wordfence. That number jumped to more than 4 million requests in a single day on June 7.

What’s Actually Broken

The problem is tracked as CVE-2026-4020, and it’s a medium-severity information disclosure flaw with a CVSS score of 5.3. Here’s what makes it dangerous: the plugin created a REST API endpoint that anyone could access without logging in. No authentication required. No password needed.

The vulnerable endpoint sits at /wp-json/gravitysmtp/v1/tests/mock-data. When someone adds the query parameter ?page=gravitysmtp-settings, the plugin happily dumps about 365 KB of JSON data containing everything about your site’s configuration. Wordfence explained that this happens because the endpoint’s permission_callback unconditionally returns true, essentially leaving the door wide open.

What Attackers Can Steal

This isn’t just about seeing what version of WordPress you’re running. The exposed data includes genuinely sensitive information that attackers can weaponize immediately. According to the security advisory, hackers can grab your PHP version, loaded extensions, and web server details. They can see your database server type and version, plus all your active plugins and their version numbers.

More critically, the flaw exposes API keys and OAuth tokens for third-party email services. If you’ve connected Gravity SMTP to Amazon SES, Google, Mailjet, Resend, or Zoho, those credentials are sitting there for the taking. Attackers can use those keys to send emails on behalf of your site, potentially damaging your reputation or running phishing campaigns.

Additionally, bad actors get your WordPress configuration details and database table names. That’s essentially a roadmap for planning follow-up attacks against your site. As Wordfence noted, this detailed system report significantly lowers the effort required to target your site with more sophisticated exploits.

The Attacks Started in May

This isn’t a drill. Attackers began probing for vulnerable sites at the start of May 2026. The activity remained relatively steady until June 6, when it suddenly exploded. By June 7, Wordfence was blocking over 4 million malicious requests in a single day.

The exploit is straightforward. Hackers send unauthenticated HTTP GET requests to the vulnerable REST API endpoint with the ?page=gravitysmtp-settings parameter attached. The server responds by dumping your site’s configuration data without asking for credentials. It’s that simple, which is why the attacks scaled up so quickly.

Wordfence has identified eleven IP addresses responsible for the bulk of these attacks: 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, 176.65.148.30, and several others. If you see requests from these addresses in your server logs, someone tried to exploit your site.

What You Need to Do Right Now

First, update Gravity SMTP to version 2.1.5 immediately. The plugin developers released this patch specifically to close the vulnerable endpoint. However, updating alone isn’t enough if you’ve been running a vulnerable version with email integrations configured.

If you had third-party email services connected to Gravity SMTP before updating, you should assume those credentials have been compromised. Rotate every API key and OAuth token you configured in the plugin. That means generating new credentials for Amazon SES, Google, Mailjet, Resend, Zoho, or whatever service you use for sending emails.

Additionally, check your server log files for suspicious activity. Look for requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially those coming from the IP addresses listed above. If you find matches, review what data was accessible at that time and consider what other security measures you need to implement.

Why This Matters for Your Business

Information disclosure vulnerabilities like this one create cascading problems. The immediate risk is that attackers can use your email credentials to send spam or phishing emails that appear to come from your domain. That damages your sender reputation and could land your domain on blocklists.

The broader risk is that attackers now have a complete inventory of your site’s software stack. They know exactly which plugins you’re running, which versions, and how your server is configured. That information makes you a softer target for ransomware attacks, data breaches, and other exploits.

According to Wordfence, the impact of sensitive information exposure depends on what gets leaked. In this case, the combination of live API credentials and detailed system information creates multiple attack vectors. Hackers can abuse your email services while simultaneously planning more sophisticated attacks based on your exposed configuration.

The Bottom Line

If you’re using Gravity SMTP, treat this as urgent. Update to version 2.1.5, rotate all your email service credentials, and audit your server logs for signs of exploitation. This vulnerability has already been weaponized at massive scale, with over 17 million exploit attempts blocked by Wordfence alone.

Don’t assume you weren’t targeted just because your site looks fine. Information theft doesn’t always leave obvious traces. The attackers are collecting data now to use later. Take action today before that stolen information turns into a bigger problem tomorrow.

Original Source: thehackernews.com