SecurityWeek ·EN-US News source Exploited in the wildGravity SMTP for WordPress
Attackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress Data
CVE Tools coverage
Attackers are actively exploiting a medium-severity information exposure weakness in the Gravity SMTP WordPress plugin (all versions before 2.1.5) tracked as CVE-2026-4020 (CVSS 5.3). The flaw allows unauthenticated access to a REST API endpoint that can return the full “System Report” JSON, including server and WordPress configuration details as well as stored connector data like API keys/tokens used for email integrations. This matters because leaked credentials could enable attackers to send emails through the compromised site and use the detailed reconnaissance to pursue further vulnerabilities; Defiant reports exploitation in the wild since early May and a surge in attempts during June.