CVE-2026-4020: Gravity SMTP Exploit Exposes WordPress API Keys

Threat actors have begun actively targeting a security vulnerability in the Gravity SMTP plugin for WordPress, which is currently utilized by approximately 100,000 websites. According to The Hacker News, the flaw allows unauthenticated remote attackers to bypass security boundaries and access sensitive configuration details. The CVE-2026-4020 vulnerability represents a significant risk to organizations that rely on this plugin to manage their transactional email services.

Technical Analysis of CVE-2026-4020

The CVE identified as CVE-2026-4020 carries a CVSS score of 5.3, classifying it as a medium-severity information disclosure vulnerability. Despite this moderate rating, the real-world impact is substantial due to the nature of the data exposed. Gravity SMTP is designed to integrate WordPress with various Mail Transfer Agents (MTAs) and third-party email services such as SendGrid, Mailgun, and AWS SES.

The vulnerability stems from insufficient access controls on specific plugin endpoints. An unauthenticated attacker can query these endpoints to retrieve the plugin’s configuration settings. This data dump typically includes sensitive secrets, such as API keys for email delivery services, OAuth tokens for authenticated sessions, and other internal configuration parameters. If an attacker gains access to these secrets, they can potentially hijack the organization’s email infrastructure to conduct Phishing campaigns, bypass multi-factor authentication (MFA) via password reset emails, or facilitate Lateral Movement within the cloud services associated with the stolen API keys.

How to Detect CVE-2026-4020 Exploit Attempts

Security teams and SOC analysts should monitor web server access logs for unusual requests directed at the Gravity SMTP directory or its REST API endpoints. Detection efforts should focus on identifying unauthenticated GET or POST requests that return large configuration payloads. Implementing a specific IoC check for unauthorized access to the plugin’s settings page via the WordPress AJAX or REST interface is highly recommended. To ensure visibility, defenders should integrate these logs into their SIEM and establish alerts for any non-administrative IP addresses accessing sensitive plugin paths.

Potential Impact and Exploitation Scenarios

The primary concern for organizations is the compromise of the Supply Chain Attack surface through their email provider. When an API key for a service like SendGrid is exposed, the attacker does not just compromise the WordPress site; they gain the ability to send emails as the organization. This can lead to severe reputational damage and financial loss. Furthermore, the exposure of OAuth tokens may allow attackers to maintain persistence or escalate privileges within the connected application environments.

From a MITRE ATT&CK perspective, this exploit maps to T1552 (Unsecured Credentials) and T1592 (Gather Victim Host Information). The TTP involves automated scanning of WordPress sites for the specific Gravity SMTP file structure followed by targeted requests to extract the configuration database.

Gravity SMTP 1.0.6 Information Disclosure Patch and Mitigation

The most effective remediation strategy is to apply the Gravity SMTP 1.0.6 information disclosure patch immediately. This update introduces necessary authorization checks to prevent unauthenticated users from accessing configuration data.

Beyond simply updating the plugin, WordPress plugin API key exposure remediation requires a thorough credential rotation policy. Because the vulnerability has been exploited in the wild, administrators should assume that any secrets stored within the plugin prior to the update have been compromised.

1. Update Gravity SMTP to version 1.0.6 or later.
2. Revoke and regenerate all API keys for integrated email services (e.g., Mailgun, SendGrid).
3. Reset all OAuth tokens used by the plugin.
4. Review audit logs for any unauthorized email activity originating from the compromised API keys.