Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites.

The flaw is tracked as CVE-2026-4020 and received a medium severity rating. It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.

WordPress security company Defiant is warning that hackers are actively exploiting the vulnerability. The company's Wordfence firewall has blocked more than 17 million attempts against protected customers.

The issue stems from an exposed REST API endpoint in Gravity SMTP, whose ‘permission_callback’ always returns ‘true,’ allowing unauthenticated GET requests to receive a comprehensive JSON “System Report” generated by the plugin. The exposed information may contain:

API keys, secrets, and OAuth tokens for configured email integrations