Gravity SMTP Vulnerability Exploitation Raises Email Credential Exposure Risks

The Gravity SMTP vulnerability is drawing increased attention after researchers reported active exploitation targeting vulnerable WordPress sites. The flaw, tracked as CVE-2026-4020, affects Gravity SMTP versions 2.1.4 and earlier and allows unauthenticated users to retrieve sensitive configuration data through an exposed REST API endpoint.

What makes this incident notable is not just the vulnerability itself but the type of data exposed. Wordfence reported that unauthenticated attackers could retrieve API keys, secrets, OAuth tokens, and configuration details associated with connected email services. The plugin is installed on approximately 100,000 WordPress sites, increasing the potential exposure footprint.

Recent reporting indicates that attackers are using large-scale automated activity to target the vulnerability, with Wordfence blocking more than 17 million exploit attempts against protected customers.

Why Security Teams Are Paying Attention

Many information-disclosure vulnerabilities remain low-priority patching items. This case is different because the exposed information may include credentials used to authenticate with third-party email services. Wordfence reported active exploitation of the flaw and said it blocked more than 17 million exploit attempts against protected sites.

Three factors make the vulnerability notable:

• No authentication is required to access the exposed endpoint.
• The disclosed data may include API keys, OAuth tokens, and email-service credentials.
• The exposed report can also provide insight into the site’s technology stack.

The combination of active exploitation and potential credential exposure elevates the risk beyond a typical configuration disclosure issue.

How the Vulnerability Exposes Sensitive Data

The flaw originates from a REST API endpoint located at:

/wp-json/gravitysmtp/v1/tests/mock-data

According to researchers, the endpoint’s permission_callback function always returns true. As a result, unauthenticated requests can retrieve JSON system-report data from the plugin.

The report may contain:

• API keys and secrets
• OAuth tokens
• Email-service credentials
• WordPress configuration details
• Active plugin inventories
• Theme information
• PHP and server environment details
• Database configuration information

What Makes the Exposed Data Valuable to Attackers

The incident goes beyond a typical WordPress plugin exploit, as the exposed information can enable both credential abuse and reconnaissance.

Wordfence warned that exposed credentials may allow attackers to abuse legitimate email services configured within the plugin if those credentials remain active.

This risk is particularly significant because organizations often trust emails sent through legitimate providers and established domains. If exposed credentials remain valid, attackers may be able to use trusted email infrastructure rather than relying on newly created or suspicious domains.

The Challenge Doesn’t End with Patching

Upgrading to Gravity SMTP 2.1.5 removes the vulnerable endpoint, but it does not invalidate credentials that may have been exposed before remediation.

Organizations that used affected versions should evaluate whether:

• API keys were configured in Gravity SMTP.
• OAuth tokens were stored in the plugin.
• Email-service credentials remain active.
• Logs show requests to the vulnerable endpoint.
• Mail-provider accounts have generated unusual activity.

The vulnerability highlights a common challenge with information disclosure flaws. Once sensitive credentials have been exposed, patching addresses future exploitation, but does not eliminate the risk associated with previously disclosed secrets.

Wordfence recommends rotating exposed credentials and reviewing connected email-service accounts for signs of misuse.

Assessing Potential Exposure

Updating the plugin addresses the vulnerable endpoint, but it does not invalidate credentials that may already have been exposed. Wordfence recommends treating potential credential exposure as a separate response activity, even after the vulnerable plugin has been updated.

Security teams should review the following:

• Was Gravity SMTP running version 2.1.4 or earlier?
• Was the vulnerable endpoint accessible before remediation?
• Were any API keys or OAuth tokens configured in the plugin?
• Have those credentials been rotated?
• Do web logs contain requests to the vulnerable endpoint?
• Has outbound email activity changed unexpectedly?

A key indicator of compromise is access to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, particularly when accompanied by the ?page=gravitysmtp-settings parameter.

Defensive Actions That Deserve Immediate Attention

Organizations using affected versions should prioritize:

• Upgrading to Gravity SMTP 2.1.5 or later.
• Rotating exposed credentials and secrets.
• Revoking and reissuing OAuth tokens where applicable.
• Reviewing email-provider activity logs.
• Investigating requests to the vulnerable REST endpoint.
• Monitoring for unusual outbound email activity.
• Reviewing administrator account activity associated with email-service management.

Wordfence recommends credential rotation in addition to patching because previously exposed credentials may remain valid after the software update.

How Hexnode Supports Investigation and Response

The Gravity SMTP vulnerability highlights the importance of responding quickly to credential exposure events and maintaining visibility into administrative systems involved in remediation efforts.

Hexnode helps organizations manage and monitor enrolled devices, enforce compliance policies, and support device update management across their endpoint fleet.

Hexnode provides device management, compliance enforcement, and endpoint administration capabilities that can support operational security and device management workflows.

Featured resource

Building a cybersecurity framework for your enterprise

Explore cybersecurity frameworks and how UEM strengthens security, compliance, visibility, and risk management.

DOWNLOAD

Conclusion

The Gravity SMTP vulnerability demonstrates how an information disclosure flaw can evolve into a broader identity and email security concern. Active exploitation and the potential exposure of credentials and system configuration data increase the potential impact beyond the original vulnerability.

Organizations should focus not only on patching but also on identifying whether credentials were exposed before remediation. Reviewing administrative activity, monitoring email-service accounts, and rotating potentially exposed credentials remain important steps in reducing the risk of follow-on misuse.