CVE Tools
Back to feed
SecurityWeek ·EN-US News source Exploited in the wildGravity SMTP for WordPress

Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data

By Ionut Arghire··2 min read
CVE Tools coverage

Attackers are actively exploiting a medium-severity information exposure weakness in the Gravity SMTP WordPress plugin (all versions before 2.1.5) tracked as CVE-2026-4020 (CVSS 5.3). The flaw allows unauthenticated access to a REST API endpoint that can return the full “System Report” JSON, including server and WordPress configuration details as well as stored connector data like API keys/tokens used for email integrations. This matters because leaked credentials could enable attackers to send emails through the compromised site and use the detailed reconnaissance to pursue further vulnerabilities; Defiant reports exploitation in the wild since early May and a surge in attempts during June.