Hackers are massively exploiting a Gravity SMTP flaw to steal API keys from 100,000 WordPress sites



TL;DR

Wordfence blocked more than 17 million attempts to exploit a Gravity SMTP bug that leaks API keys and system data from WordPress sites without authentication.

Attackers are actively exploiting a vulnerability in the WordPress Gravity SMTP plugin which exposes API keys, OAuth tokens, and detailed system configuration data to anyone who sends a single unauthenticated HTTP request. Wordfence, the WordPress security company owned by Defiant, says it has blocked more than 17 million exploitation attempts targeting the flaw since activity began in early May 2026. The plugin is installed on approximately 100,000 WordPress sites.

The vulnerability, tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all versions of Gravity SMTP up to 2.1.4. A patch was released in version 2.1.5 on March 17, 2026, but the exploit did not begin until approximately two months later, suggesting that the attackers reverse-engineered the fix or discovered the flaw independently after the patch brought attention to it.

The root cause is a REST API endpoint registered in /wp-json/gravitysmtp/v1/tests/mock-data with a permit_callback function that returns true unconditionally. That means that no authentication check is run before the server processes the request. When an attacker adds the ?page=gravitysmtp-settings query parameter, the plugin’s Register_connector_data() method populates the internal connector data and the endpoint returns approximately 365 KB of JSON containing the complete site system report.

The exposed data includes API keys, secrets, and OAuth tokens for each email integration configured in the plugin. Gravity SMTP supports Amazon SES, Google, Mailjet, Resend, and Zoho, and credentials for any of these services appear in the response if they have been configured. An attacker who obtains those credentials can send email on behalf of the compromised site, a capability that is useful for phishing campaigns and enterprise email compromise.

The system report also contains the WordPress version, PHP version and loaded extensions, web server version, document root path, database server type and version, all active plugins with their version numbers, active theme, and database table names. That information gives attackers a detailed map of the site’s software stack, significantly reducing the reconnaissance effort required to plan subsequent attacks against known vulnerabilities in specific versions of plugins or servers.

Exposing active third-party API credentials means an attacker could abuse email services connected to the site, while detailed system reporting significantly reduces the effort required to plan future attacks against the site.”Wordfence researchers wrote in their notice.

Exploitation volume increased dramatically around June 6, 2026, with Wordfence blocking over 4 million requests in a single day on June 7. The attack traffic primarily originated from a group of IP addresses that Wordfence published for administrators to add to block lists. The key indicator of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in web server access logs, particularly those containing the ?page=gravitysmtp-settings query parameter.

CrowdSec, the open source threat intelligence platform, independently corroborated the timeline. Implemented detection of CVE-2026-4020 on May 22 and observed the first real-world exploit on May 27. As of June 1, the activity had been classified as background noise, indicating that it had been integrated into automated scanning routines that sweep WordPress sites at scale.

The speed at which exploitation was industrialized reflects a broader pattern in WordPress plugin security. The flaw does not require authentication, points to a widely installed plugin, and returns high-value data in a single GET request, making it trivial to automate. The WordPress plugin ecosystem has repeatedly faced supply chain compromises in 2026, including an attack in which 30 plugins purchased on Flippa were backdoored and remained inactive for eight months before activation.

The Gravity SMTP vulnerability differs from supply chain attacks in that it does not involve malicious code injected by a compromised developer. It’s a simple coding error, a permission callback that should have checked the credentials of the requesting user but instead returned true for each request. The simplicity of the glitch makes its survival through development, review, and release remarkable.

Exposure of API credentials is particularly dangerous because those credentials often persist even after the plugin is updated. Updating to version 2.1.5 closes the vulnerable endpoint, but does not revoke or rotate any API keys that have already been collected. Credential theft through software flaws It’s an accelerating problem across the industry, and recent research shows that exposed API credentials are exploited within minutes of discovery.

Wordfence’s advisory urges site owners running a vulnerable version of Gravity SMTP and who have set up third-party email integrations to make a commitment. The recommended solution is to update the plugin to version 2.1.5 or later and then immediately rotate all API keys, secrets, and OAuth tokens configured in the plugin’s email connectors. Administrators should also review server log files for requests from the attacker’s published IP addresses.

The CVE was released on March 31, 2026, two weeks after the patch was shipped. Despite the three-month gap between patch availability and peak exploitation, many sites remain vulnerable. The gap between when patches are available and when organizations deploy them is one of the most persistent problems in software security, and WordPress plugins are especially prone to it because many site operators do not monitor plugin change logs or enable automatic updates.

Wordfence also issued a separate advisory this week for CVE-2026-8713, a critical unauthenticated arbitrary file deletion vulnerability in the Avada Builder plugin, which is installed on approximately one million WordPress sites. That flaw allows attackers to delete files on the server via a path traversal error, and deleting wp-config.php can revert a site to its initial configuration state, potentially allowing a full takeover.

A patch for the Avada Builder flaw is available in version 3.15.4 and no active exploitation of CVE-2026-8713 has yet been observed.

Wordfence did not attribute the Gravity SMTP exploit to a specific actor or threat group. The pattern of mass scanning of a small group of IP addresses is consistent with opportunistic credential harvesting rather than a targeted intrusion, although the stolen credentials could be sold or shared with more sophisticated operators for subsequent attacks.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *