CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data

Cybersecurity News Archived Jun 18, 2026 ✓ Full text saved

Hackers are actively abusing a sensitive information exposure flaw in the Gravity SMTP WordPress plugin, aggressively targeting over 100,000 sites to harvest configuration data and live email credentials. The vulnerability, tracked as CVE‑2026‑4020 and rated 5.3 (Medium), affects all Gravity SMTP versions up to and including 2.1.4 and is now under mass exploitation by distributed […] The post Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data appear

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data By Abinaya June 18, 2026 Hackers are actively abusing a sensitive information exposure flaw in the Gravity SMTP WordPress plugin, aggressively targeting over 100,000 sites to harvest configuration data and live email credentials. The vulnerability, tracked as CVE‑2026‑4020 and rated 5.3 (Medium), affects all Gravity SMTP versions up to and including 2.1.4 and is now under mass exploitation by distributed IP infrastructure across multiple regions. The vendor quietly shipped a fix on March 17, 2026, with Gravity SMTP version 2.1.5, but public disclosure followed on March 30, 2026, leaving a large population of lagging sites exposed during the intervening weeks. At the core of the issue is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission callback that unconditionally returns true, meaning the endpoint performs no authentication or capability checks and is reachable by any unauthenticated visitor. When a request appends the page=gravitysmtp-settings query parameter, the plugin’s configuration collection logic loads its internal connector data. It returns a roughly 365 KB JSON “System Report” containing extensive system and plugin metadata. This System Report exposes PHP version and extensions, web server version and document root, database type and version, WordPress version and configuration details, the active theme, the list of all active plugins with versions, and internal database table names. Critically, it also includes any API keys, secrets, and OAuth tokens configured for Gravity SMTP’s email integrations, including providers such as Amazon SES, Google, Mailjet, Resend, and Zoho, giving attackers everything they need to send email through legitimate channels owned by the victim. This combination of rich reconnaissance and credential exposure significantly lowers the effort required to chain additional vulnerabilities or pivot into broader account compromise. Wordfence blocks exploit attempts unless the request comes from an authorized administrator account( Source : Wordfence ) Hackers Exploit WordPress SMTP Plugin Exploitation is trivial: an attacker only needs to send a single unauthenticated GET request such as GET /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings HTTP/1.1 and parse the resulting JSON. Because no authentication, CSRF protection, or capability checks are enforced on the endpoint, this pattern lends itself perfectly to automated internet‑wide scanning and harvesting, and exploit templates are already available in public tooling ecosystems like Nuclei. Wordfence reports the Gravity SMTP flaw is now seeing widespread exploitation, with over 17 million blocked attack attempts and a major surge in activity between June 7–11, 2026, reaching several million requests per day. CrowdSec likewise reports at least 412 distinct attacking IPs between May 27 and June 1, 2026, with top activity associated with cloud and hosting geographies rather than a single localized cluster. Among the most aggressive sources observed hammering the vulnerable mock‑data endpoint are IPs such as 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30, each responsible for hundreds of thousands of blocked requests. Most active IP addresses targeting the Gravity SMTP mock-data REST API endpoint (Source : Wordfence ) These addresses appear tied to high‑volume scanning infrastructure rather than to ordinary residential users, reinforcing the idea that exploitation is largely automated and opportunistic. However, defenders should treat this list as indicative, not exhaustive, because new IPs are continuously joining the attack surface as scripts propagate and additional botnets incorporate the CVE‑2026‑4020 checks into their routines. Detecting exploitation is challenging because the vulnerability is read‑only and does not directly modify site content, users, or files. As a result, traditional compromise indicators like new administrator accounts or dropped webshells may be absent even when credentials have already been stolen. Administrators should instead review web server access logs for any hits to /wp-json/gravitysmtp/v1/tests/mock-data, especially requests containing page=gravitysmtp-settings, and correlate them with timestamps, user agents, and known malicious IPs, such as those listed above. Large 365 KB JSON responses from that path are strong evidence that the system report has been retrieved at least once. Remediation Steps Mitigation requires a combination of patching, credential rotation, and network‑level hardening. Site owners must upgrade Gravity SMTP to version 2.1.5 or later, which addresses the insecure REST API behavior. Because there is no reliable way to prove that credentials were not accessed once a site ran a vulnerable version, all API keys, secrets, and OAuth tokens associated with Amazon SES, Google, Mailjet, Resend, Zoho, or other connected providers should be rotated immediately after patching. Additionally, security teams should consider blocking unauthenticated access to /wp-json/gravitysmtp/v1/tests/mock-data via web server configuration or Web Application Firewall rules, and, where feasible, constraining REST API access to trusted IP ranges. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Hackers Abuse Residential Proxy Networks to Hide Malicious Activity and Evade Detection Hackers Weaponize Microsoft Teams Relay to Hide Ransomware Traffic Russian and Chinese Influence Actors Use AI to Evade Bot Detection and Mimic Human Behavior 27-Year-Old OpenBSD Vulnerability Allows Attackers to Bypass PAP Authentication Entirely Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications Latest News Cyber Security Microsoft Confirms Defender RoguePlanet 0-Day Exploit and Working to Release Patch AI Google Cloud Vertex AI Allows Attacker to Hijack Victim’s Model and Poison it Cyber Security News GitBait Phishing Campaign Abuses GitHub Pages to Attack Financial Institutions Cyber Security News Hackers Abuse Cloud Logging Services to Evade Detection and Defender’s Visibility Press Release SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗