Gravity SMTP flaw leaks API keys; 17M attacks blocked

Key Takeaways

• CVE-2026-4020 exposes API keys, OAuth tokens, and email service credentials through an unprotected REST endpoint
• Wordfence blocked 17 million exploit attempts, with 4 million on June 7 alone
• The patch has been available since March 17, but exploitation surged three months later

Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that exposes API keys, email service credentials, and server configuration details. Wordfence, the security arm of Defiant, has blocked more than 17 million exploit attempts against its protected customers since exploitation began spiking on June 7.

The flaw, tracked as CVE-2026-4020, affects roughly 100,000 WordPress sites running Gravity SMTP versions 2.1.4 and earlier. A fix shipped in version 2.1.5 back in March. Three months later, attackers caught on.

What does the Gravity SMTP vulnerability expose?

The bug sits in a REST API endpoint whose permission callback always returns true. That means anyone on the internet can send an unauthenticated GET request and receive a JSON "System Report" containing sensitive data the plugin generates for debugging.

Exposed information includes:

• API keys, secrets, and OAuth tokens for email integrations
• Credentials for Amazon SES, Google, Mailjet, Resend, and Zoho email services
• Installed plugins, themes, and WordPress version details
• Server environment data including PHP version
• Database configuration including table names

The vulnerability earned only a medium severity rating because it does not directly grant code execution. But Wordfence researchers argue the practical impact is higher. Stolen email credentials let attackers impersonate the site owner to third parties. The detailed system report gives them a blueprint for follow-up attacks.

How big is the exploitation wave?

Exploitation spiked on June 7 with 4 million blocked requests in a single day. Similar volumes continued for several days afterward. Wordfence published a list of the most prolific source IP addresses, recommending administrators add them to blocklists immediately.

The telltale sign of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in your server access logs, especially those including the ?page=gravitysmtp-settings query parameter. If you see these and you were running a vulnerable version, assume your credentials leaked.

Why did exploitation lag the patch by three months?

The March 17 patch fixed the permission callback logic. But WordPress plugins do not auto-update by default unless site owners enable that feature. Many administrators either missed the update or delayed it for testing. Attackers often wait for patch details to become public, reverse-engineer the fix, and then scan for unpatched sites.

This pattern repeats constantly in the WordPress ecosystem. Security researchers at Patchstack have documented similar three-to-six-month exploitation windows for other plugins. The plugin's 100,000 active installs make it an attractive target.

A second WordPress flaw: Avada Builder

Defiant issued a separate advisory about a critical file-deletion vulnerability in Avada Builder, a plugin running on one million sites. CVE-2026-8713 allows unauthenticated attackers to delete arbitrary files through a path traversal flaw, provided the site has an Avada form configured to save submissions to the database.

Deleting wp-config.php reverts a WordPress site to its initial setup state. An attacker who monitors the site can then complete the setup wizard with their own admin credentials, achieving full takeover. The fix is in version 3.15.4. No active exploitation has been observed yet, but the vulnerability is trivial to weaponize.

What should administrators do now?

1. Update Gravity SMTP to version 2.1.5 or later immediately
2. Update Avada Builder to version 3.15.4 if installed
3. Rotate any API keys or email service credentials stored in Gravity SMTP
4. Check server logs for requests to the mock-data endpoint
5. Consider adding the IPs Wordfence published to your blocklist

Rotating credentials matters even if you patched quickly. If attackers grabbed your Amazon SES or Mailjet keys before you updated, they can still send email as your domain. That opens phishing and business email compromise scenarios.

Frequently Asked Questions

Is CVE-2026-4020 being actively exploited?

Yes. Wordfence blocked 17 million exploit attempts, with a peak of 4 million on June 7, 2026.

Which Gravity SMTP versions are affected?

All versions from 2.1.4 and earlier. Version 2.1.5, released March 17, contains the fix.

What data can attackers steal through this vulnerability?

API keys, OAuth tokens, email service credentials for Amazon SES, Google, Mailjet, Resend, and Zoho, plus server and database configuration details.

Do I need to rotate my email API keys after patching?

Yes. If attackers accessed your system report before you patched, they have your credentials. Rotate them in your email provider's dashboard.

Is the Avada Builder vulnerability also being exploited?

Not yet. Defiant has not observed active exploitation, but the flaw is critical and easy to weaponize. Update to 3.15.4 immediately.

Source: BleepingComputer