WordPress Email Plugin Flaw Triggers 17 Million Attacks: Gravity SMTP Leaks Live API Keys

“`json
{
“title”: “Gravity SMTP Plugin Flaw Exposes Email Credentials on 100K Sites”,
“slug”: “gravity-smtp-plugin-vulnerability-email-credentials-exposed”,
“meta_description”: “A WordPress Gravity SMTP plugin flaw triggered 17 million exploit attempts. Learn how CVE-2026-4020 exposes API keys and what to do if your site is affected.”,
“keywords”: [“Gravity SMTP vulnerability”, “WordPress plugin security”, “CVE-2026-4020”, “email API key theft”, “WordPress security flaw”],
“primary_keyword”: “Gravity SMTP vulnerability”,
“content”: “

If your WordPress site uses Gravity SMTP and you haven’t updated since March, assume your email service credentials are already compromised. That’s not fear-mongering—it’s the reality after attackers launched 17 million automated exploit attempts targeting a security flaw that’s been patched for months.

Wordfence confirmed this week that the campaign has been running hot since early May 2026. The vulnerability, tracked as CVE-2026-4020, lets anyone on the internet grab your site’s email API keys without logging in, creating an account, or doing anything more complicated than sending a single web request.

Here’s what happened, why it matters to your business, and what you need to do right now.

What the Gravity SMTP Vulnerability Actually Does

The Gravity SMTP plugin is installed on approximately 100,000 WordPress sites. It helps your site send email through services like Amazon SES, Google, Mailjet, Resend, and Zoho by storing your API keys and OAuth tokens.

The flaw lives in how the plugin handles a testing endpoint. In versions before 2.1.5, anyone could access a specific URL on your site and receive a 365-kilobyte JSON file containing your entire system configuration. That file includes your email service credentials, every plugin you’re running with version numbers, your PHP version, database details, and more.

No password required. No exploitation complexity. Just a simple web request that leaves almost no trace.

Why Your Logs Won’t Show the Attack

This attack is invisible to most WordPress security monitoring. It doesn’t upload files, inject code, or create administrator accounts. The only evidence is a single line in your web server access logs showing a GET request to a specific endpoint.

That means your site could have been hit weeks ago and you’d have no idea unless you specifically searched your logs for this pattern. Meanwhile, attackers walked away with credentials to services you’re actively paying for.

The Scale of the Attack Campaign

Wordfence deployed protection for premium customers on May 5, 2026. Free users got coverage on June 4. The very next day, attack volume began spiking dramatically.

On June 7, 2026, Wordfence blocked more than four million exploit attempts in a single day. That’s the same vulnerability, the same attack method, running at industrial scale nearly three months after the patch became available.

CrowdSec, an independent threat intelligence platform, detected the first real-world exploitation on May 27. By June 1, they classified it as background noise—meaning it had been absorbed into the constant automated scanning that hammers WordPress sites every single day.

Why a “Medium Severity” Rating Enabled This Mess

CVE-2026-4020 carries a CVSS score of 5.3, officially classified as medium severity. The National Vulnerability Database rates it 7.5. Neither number tells you what actually matters: this flaw hands over live credentials to external services.

If you triage patches based on severity scores, you would have deprioritized this one. That’s exactly what thousands of site owners did, creating a three-month window where credentials were being harvested at scale with no visible alarms going off.

What Attackers Do with Stolen Email Credentials

Stolen API keys for Amazon SES or Mailjet aren’t just spam tools. They let attackers send email from your legitimate domain, using your sending reputation, passing through the same infrastructure your real transactional emails use.

Those messages look clean to spam filters. They carry your domain’s trust. They land in inboxes that would normally block messages from unknown senders.

That makes them perfect for phishing campaigns, credential harvesting, and account takeover attempts. Your business email infrastructure becomes a weapon pointed at your own customers.

The System Report Makes Everything Worse

The stolen data isn’t just email credentials. Attackers also get a complete map of every plugin on your site with exact version numbers. That tells them which other known vulnerabilities are sitting there waiting to be exploited.

CrowdSec classified 83% of observed attacker activity as infrastructure takeover reconnaissance. They’re not just stealing credentials—they’re cataloging sites for follow-on attacks.

What You Need to Do Right Now

Wordfence’s guidance is clear: if you ran any version of Gravity SMTP before 2.1.5 with email integrations configured, treat those credentials as compromised. Period.

Here’s your action list:

Update the plugin immediately. Gravity SMTP version 2.1.5 fixes the permission callback issue that allowed unauthenticated access. If you’re running anything earlier, update now.

Rotate every credential the plugin stored. That means every API key, OAuth token, and secret for Amazon SES, Google, Mailjet, Resend, Zoho, or any other service you connected. Do this even if you don’t see evidence of compromise—the attack leaves no visible trace.

Check your web server access logs. Search for GET requests to /wp-json/gravitysmtp/v1/tests/mock-data that include ?page=gravitysmtp-settings. A 365 KB JSON response from that endpoint means your system report was retrieved.

Audit your email service activity. Most email providers offer per-key activity logs. Look for anomalous sending patterns, unrecognized API access, or authentication events from IP addresses you don’t control.

The Bigger WordPress Security Problem

This isn’t a story about one plugin’s coding mistake. It’s a story about the gap between when a patch exists and when it actually gets deployed.

The fix for CVE-2026-4020 has been available since March 17, 2026. The attack campaign peaked in early June. Patchstack’s 2026 security data shows that 52% of plugin vulnerabilities don’t even get a developer patch before public disclosure, and mass exploitation of high-impact flaws typically begins within five hours of disclosure.

For sites that updated promptly, this vulnerability was a non-event. For everyone else, credentials were being harvested silently for months.

Another Major Flaw Disclosed This Week

Wordfence also published an advisory for CVE-2026-8713, a critical arbitrary file-deletion vulnerability in Avada Builder. That plugin is installed on approximately one million WordPress sites. No active exploitation has been observed yet, but a patch is available in version 3.15.4.

If you’re running Avada Builder, update it now before this one follows the same pattern.

Frequently Asked Questions

How do I know if my site’s Gravity SMTP credentials were stolen?

The attack leaves no conventional indicators of compromise. Your only forensic record is in web server access logs. Search those logs for GET requests to /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings. If you find any—especially from unfamiliar IP addresses—treat your credentials as stolen and rotate them immediately.

Why is a medium severity rating dangerous in this case?

CVE-2026-4020’s CVSS score of 5.3 reflects the fact that the attack only reads data without modifying anything. However, the data it reads includes live API keys and OAuth tokens for critical email services. Site owners who deprioritized medium-severity patches contributed to a three-month gap between the available fix and the campaign’s peak. Vulnerabilities that expose live credentials should always be treated as urgent regardless of their score.

What can attackers do with stolen API keys?

Stolen credentials for services like Amazon SES or Mailjet allow attackers to send email from your legitimate domain with your full sending reputation intact. This enables phishing campaigns and spam delivery that bypass filters designed to catch messages from unknown senders. The detailed system report also gives attackers a complete map of your site’s installed software and versions, making it easier to identify other vulnerabilities to exploit.

Is the Gravity SMTP flaw related to the Avada Builder vulnerability?

They’re separate vulnerabilities. CVE-2026-4020 in Gravity SMTP is under active, large-scale exploitation. CVE-2026-8713 in Avada Builder is a critical arbitrary file-deletion flaw affecting approximately one million sites, but no active exploitation has been observed yet. Both have patches available and both require immediate action from site administrators.

“,
“excerpt”: “A Gravity SMTP plugin flaw triggered 17 million exploit attempts, exposing email API keys on 100,000 WordPress sites. If you ran an unpatched version, assume your credentials are compromised and rotate them immediately.”,
“image_alt_suggestion”: “WordPress security alert showing Gravity SMTP plugin vulnerability CVE-2026-4020 exploit statistics”,
“internal_link_suggestions”: [“WordPress plugin security best practices”, “email API credential management”, “WordPress vulnerability patching timeline”]
}
“`

Original Source: www.techtimes.com