Wordfence has blocked more than 17 million exploit attempts targeting CVE‑2026‑4020 to date, and the numbers keep climbing.
Key Takeaways
- Unauthenticated attackers can pull a 365 KB JSON dump of a site’s full system report.
- The dump includes live third‑party API keys for services like Amazon SES and Google.
- More than 100,000 WordPress installations run the vulnerable Gravity SMTP plugin.
- Patch arrived in version 2.1.5; sites still on older releases should upgrade immediately.
- Wordfence observed a spike of over 4 000 000 requests on June 6 2026 alone.
Gravity SMTP vulnerability (CVE‑2026‑4020) exposed API keys
That the flaw is medium‑severity with a CVSS score of 5.3 might sound reassuring, but the reality is that it hands attackers a treasure trove of credentials without any authentication step.
When a visitor hits the endpoint /wp-json/gravitysmtp/v1/tests/mock-data, the plugin’s permission callback always returns true. That means anyone on the internet can call the endpoint and, if they tack on the ?page=gravitysmtp-settings query string, the plugin dutifully serves up its internal connector data.
How the flaw works
Wordfence explained, “
This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it,”
and added, “
When the ?page=gravitysmtp-settings query parameter is appended, the plugin’s register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report.
“
That JSON isn’t just a harmless list of plugins; it spills the PHP version, loaded extensions, web server version, document root path, database server type and version, the WordPress version itself, every active plugin with its version, the active theme, and a slew of configuration details.
Why the data matters to attackers
Harvesting API keys for Amazon SES, Google, Mailjet, Resend, and Zoho lets a malicious actor send email that looks legit, bypassing SPF and DKIM checks that many sites rely on.
Beyond email abuse, the disclosed system report gives a clear map of the target’s software stack. That lowers the barrier for follow‑on exploits, because attackers can tailor payloads to the exact PHP version, web server, and plugin lineup they see.
- PHP version – reveals potential for known remote code execution bugs.
- Loaded extensions – indicate whether vulnerable libraries like libxml are present.
- WordPress version – tells whether the site is patched against known core vulnerabilities.
- Active plugins – expose any outdated third‑party add‑ons that might be vulnerable.
Timeline of the attack campaign
Initial activity started in early May 2026, but the flood really surged around June 6 2026, when the daily request count topped 4 000 000. The attackers used a handful of IP addresses that Wordfence listed, including 45.148.10.95 and 185.8.106.37.
Those IPs kept hammering the vulnerable endpoint with GET requests, each time pulling the massive JSON payload. Because the plugin never required authentication, the botnet could operate at scale without triggering typical rate‑limit defenses.
What site owners should do right now
If you’re running Gravity SMTP version older than 2.1.5, you’re sitting on an open door. Update the plugin immediately, then rotate every third‑party credential you’ve entered – Amazon SES keys, Google OAuth tokens, Mailjet secrets, and so on.Don’t just stop at the plugin. Scan your server logs for any of the ten IP addresses Wordfence flagged and look for requests that hit /wp-json/gravitysmtp/v1/tests/mock-data. Those entries can tell you whether your site was already probed.
Beyond the patch
After you’ve updated, consider hardening your REST API. WordPress allows you to restrict access to custom endpoints via capability checks or nonce verification. Adding a proper permission callback would stop unauthenticated users dead in their tracks.
And if you’re already using a web application firewall, make sure it’s set to block the specific endpoint pattern. That way, even if a future plugin forgets to secure its routes, the firewall can act as a safety net.
What This Means For You
Developers building email integration plugins need to remember that exposing configuration data via a public API is a recipe for disaster. A single oversight in a permission callback can hand over not just keys but a complete blueprint of the host environment.
For site operators, this incident is a reminder that even “medium‑severity” bugs can have outsized impact when they involve credential leakage. Regularly audit your plugins, keep them up to date, and treat any exposed API key as compromised until you’ve rotated it.
Looking ahead, the WordPress ecosystem will likely see more scrutiny of REST endpoints, especially as the platform continues to grow into a full‑stack application framework. Will plugin authors adopt stricter security defaults, or will we keep seeing these kinds of low‑effort, high‑reward exploits?
Historical Context
The WordPress REST API debuted in version 4.7, giving developers a standard way to expose data over HTTP. Since then, countless plugins have added custom routes to provide richer functionality, from e‑commerce carts to analytics dashboards. Those routes inherit the same permission model that core endpoints use, which relies on a callback that decides whether a request should be allowed.
Early on, many plugin authors treated the callback as an afterthought, often returning true to keep things simple. That pattern persisted in a handful of popular extensions, and Gravity SMTP is one of the most widely deployed examples. The vulnerability surfaced because the callback never evaluated the requestor’s capabilities, leaving the endpoint wide open.
In the months leading up to May 2026, security researchers observed a gradual rise in automated scanners targeting WordPress REST endpoints. Those scanners looked for any route that answered without authentication, then attempted to enumerate the data it returned. Gravity SMTP’s endpoint fit that exact profile, which explains the rapid escalation once the attackers identified the specific query string that triggered the full system dump.
Technical Deep Dive
The endpoint lives under the /wp-json namespace, which WordPress reserves for JSON‑based communication. When the request arrives, WordPress loads the plugin’s registration function. The function calls register_rest_route with three arguments: the namespace, the route path, and an array of options. One option is permission_callback, and in this case the code simply returns true.
Because the callback never checks user capabilities, the REST server treats every request as authorized. The next step is the callback parameter, which points to a method that builds the response. When the ?page=gravitysmtp-settings flag is present, the method invokes register_connector_data(). That method pulls configuration values from the WordPress options table, merges them with runtime information, and encodes the result as JSON.
The final payload is sent back with a 200 OK status and a Content‑Type: application/json header. No rate limiting or nonce verification occurs, so a bot can repeat the request thousands of times per minute. The result is the 365 KB dump that contains every piece of data an attacker could need.
From a defensive standpoint, the simplest mitigation is to replace the unconditional true with a check against a capability like manage_options. That would limit access to administrators and block the public from obtaining the dump. Adding a nonce requirement would also thwart automated tools that cannot easily generate a valid token.
Competitive Landscape
Gravity SMTP competes with a range of email‑delivery plugins that integrate with third‑party services. Many of those competitors expose their settings through the WordPress admin UI, but only a subset provide a public REST endpoint for testing or diagnostics. The presence of an unsecured endpoint gives Gravity SMTP a unique attack surface that its rivals do not share.
Because the vulnerable plugin is installed on more than 100,000 sites, the impact of a single exploit can ripple through the broader ecosystem. If an attacker siphons API keys from one site and reuses them on another, the downstream effect can appear as a surge in spam originating from unrelated domains. That collateral damage can tarnish the reputation of the email‑service providers themselves, prompting them to tighten usage policies.
Other plugins have responded by auditing their own endpoints and publishing security advisories. Those moves illustrate a trend toward more rigorous endpoint hardening across the marketplace. As the community learns from the Gravity SMTP incident, we can expect a wave of updates that prioritize permission checks and reduce the attack surface of custom routes.
Key Questions Remaining
- Will WordPress core introduce a mandatory permission check for all custom REST routes, or will that responsibility remain with individual plugin developers?
- How many of the exposed API keys have already been abused for phishing or spam campaigns, and what remediation steps are service providers taking?
- Can site owners rely on existing web application firewalls to block similar endpoint abuse, or is a more granular rule set required?
- What lessons can be drawn for future plugin development cycles to avoid repeating this kind of oversight?
Answers to those questions will shape the next wave of security hardening in the WordPress world. For now, the immediate priority is clear: update, rotate credentials, and monitor for lingering requests.
Sources: The Hacker News, Wordfence Blog
