Hackers are mass-exploiting a Gravity SMTP flaw to steal API keys from 100,000 WordPress sites

TL;DRWordfence blocked 17M+ attempts to exploit a Gravity SMTP bug that leaks API keys and system data from WordPress sites without authentication.

Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that exposes API keys, OAuth tokens, and detailed system configuration data to anyone who sends a single unauthenticated HTTP request. Wordfence, the WordPress security firm owned by Defiant, says it has blocked more than 17 million exploit attempts targeting the flaw since activity began in early May 2026. The plugin is installed on approximately 100,000 WordPress sites.

The vulnerability, tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all versions of Gravity SMTP through 2.1.4. A patch was released in version 2.1.5 on 17 March 2026, but exploitation did not begin until roughly two months later, suggesting attackers reverse-engineered the fix or discovered the flaw independently after the patch drew attention to it.

The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback function that unconditionally returns true. That means no authentication check runs before the server processes the request. When an attacker appends the query parameter ?page=gravitysmtp-settings, the plugin’s register_connector_data() method populates internal connector data, and the endpoint returns approximately 365 KB of JSON containing the site’s full system report.