EXECUTIVE SUMMARY:
A large-scale exploitation campaign has emerged targeting a sensitive information exposure vulnerability in the Gravity SMTP plugin for WordPress, a widely used email delivery and SMTP management solution. The vulnerability affects all plugin versions up to and including 2.1.4 and allows unauthenticated attackers to retrieve extensive system configuration data through an improperly secured REST API endpoint. By exploiting this flaw, threat actors can gain access to valuable information such as SMTP credentials, API keys, OAuth tokens, server configurations, database details, installed plugins, active themes, and other environment-specific settings. The exposed information significantly increases the risk of follow-on attacks because it provides adversaries with detailed reconnaissance data that can be used to identify additional weaknesses within targeted environments. Security researchers observed widespread scanning and exploitation attempts against vulnerable installations, indicating that attackers rapidly incorporated the flaw into automated attack toolsets. Since the vulnerability can be exploited remotely without authentication or user interaction, organizations operating affected WordPress sites face an elevated risk of credential theft, unauthorized access, account compromise, and further intrusion activities. The active exploitation of this vulnerability highlights the continuing threat posed by improperly secured application programming interfaces and publicly exposed administrative functionality.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A large-scale exploitation campaign has emerged targeting a sensitive information exposure vulnerability in the Gravity SMTP plugin for WordPress, a widely used email delivery and SMTP management solution. The vulnerability affects all plugin versions up to and including 2.1.4 and allows unauthenticated attackers to retrieve extensive system configuration data through an improperly secured REST API endpoint. By exploiting this flaw, threat actors can gain access to valuable information such as SMTP credentials, API keys, OAuth tokens, server configurations, database details, installed plugins, active themes, and other environment-specific settings. The exposed information significantly increases the risk of follow-on attacks because it provides adversaries with detailed reconnaissance data that can be used to identify additional weaknesses within targeted environments. Security researchers observed widespread scanning and exploitation attempts against vulnerable installations, indicating that attackers rapidly incorporated the flaw into automated attack toolsets. Since the vulnerability can be exploited remotely without authentication or user interaction, organizations operating affected WordPress sites face an elevated risk of credential theft, unauthorized access, account compromise, and further intrusion activities. The active exploitation of this vulnerability highlights the continuing threat posed by improperly secured application programming interfaces and publicly exposed administrative functionality.[emaillocker id="1283"]
The vulnerability, tracked as CVE-2026-4020, stems from a REST API endpoint within Gravity SMTP that lacks appropriate access control mechanisms. Specifically, the endpoint responsible for providing mock or diagnostic data can be accessed by any unauthenticated user due to a permission validation routine that fails to enforce authorization checks. When a crafted request is sent to the vulnerable endpoint, the plugin generates and returns a large system report containing detailed information about the hosting environment and plugin configuration. The exposed data may include PHP and web server versions, database information, active plugins and themes, WordPress configuration details, directory paths, SMTP settings, API credentials, mail service tokens, and other sensitive operational information. Although the flaw does not directly provide code execution capabilities, the disclosed information can be leveraged by attackers to facilitate targeted exploitation of additional vulnerabilities, conduct credential abuse, perform account takeover activities, or gain unauthorized access to integrated third-party services. Security monitoring data indicates a substantial increase in exploitation attempts, with attackers conducting automated scanning operations against internet-facing WordPress installations to identify and harvest exposed credentials and configuration data from vulnerable systems.
The active exploitation of the Gravity SMTP information disclosure vulnerability demonstrates how seemingly moderate-severity flaws can create significant security risks when they expose sensitive operational data. While the vulnerability does not directly enable remote code execution, the information obtained through successful exploitation can serve as a foundation for more advanced attacks, including credential compromise, unauthorized access to cloud services, targeted exploitation of identified software components, and broader network reconnaissance. The widespread scanning activity observed by security researchers indicates that threat actors recognize the value of the exposed data and are actively targeting vulnerable environments at scale. Organizations using affected versions of the Gravity SMTP plugin should assume that exposed credentials may have been accessed if exploitation occurred and should take immediate steps to review logs, rotate SMTP passwords, regenerate API keys, and assess connected services for suspicious activity. Continuous monitoring, proper API access controls, credential management practices, and timely vulnerability remediation remain essential for reducing the likelihood of compromise. This incident underscores the importance of securing application interfaces and minimizing the exposure of sensitive configuration information that could aid attackers in subsequent stages of an intrusion campaign.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1190 | Exploit Public-Facing Application | - |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | - |
| T1518 | Software Discovery | - | |
| Collection | T1213 | Data from Information Repositories | - |
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]