Active Exploitation of Gravity SMTP Flaw Exposes WordPress Email Credentials
Attackers are actively exploiting CVE-2026-4020 in the RocketGenius Gravity SMTP WordPress plugin to extract sensitive configuration data and live email-service credentials from vulnerable sites. The flaw affects versions 2.1.4 and earlier and stems from an unauthenticated REST API endpoint, /wp-json/gravitysmtp/v1/tests/mock-data, whose permission check always returns true; when queried with page=gravitysmtp-settings, it can return a detailed JSON system report containing environment data, API keys, secrets, and OAuth tokens tied to providers including Amazon SES, Google, Mailjet, Resend, and Zoho.
The plugin is installed on roughly 100,000 WordPress sites, raising the risk of credential theft and abuse of legitimate outbound email infrastructure for spam, phishing, or follow-on compromise. Wordfence said it blocked more than 17 million exploitation attempts, including a spike of over 4 million in a single day, while CrowdSec observed at least 412 attacking IPs during earlier scanning and attack activity. RocketGenius released a fix in Gravity SMTP 2.1.5, and defenders are being urged to update immediately, rotate any potentially exposed credentials, and review logs for suspicious requests to the vulnerable endpoint.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Wordfence publishes IOCs for Gravity SMTP exploitation
Wordfence identified requests to '/wp-json/gravitysmtp/v1/tests/mock-data', especially with the '?page=gravitysmtp-settings' parameter, as indicators of compromise for CVE-2026-4020 exploitation. It also advised administrators to block prolific source IPs and update Gravity SMTP immediately.
CrowdSec observed 412 attacking IPs targeting the flaw
CrowdSec observed at least 412 attacking IPs exploiting or probing CVE-2026-4020 during a late-May to early-June activity window, indicating active malicious interest in the vulnerability.
Researchers report widespread active exploitation in the wild
Security reporting stated that CVE-2026-4020 was under active exploitation against Gravity SMTP installations, with Wordfence blocking more than 17 million exploit attempts overall.
Wordfence saw a major spike in exploitation attempts
Wordfence reported a major spike in blocked exploit attempts against CVE-2026-4020 on June 7, with more than 4 million attempts observed that day as part of a broader June 7-11 surge.
Public disclosure of CVE-2026-4020
Public disclosure of the Gravity SMTP vulnerability followed after the fix release, identifying an unauthenticated REST API endpoint that could expose system reports and secrets.
Gravity SMTP 2.1.5 released to fix CVE-2026-4020
RocketGenius released Gravity SMTP version 2.1.5 to address CVE-2026-4020, a sensitive information exposure flaw affecting versions 2.1.4 and earlier.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
thehackernews.com
Open sourceHackers exploit info disclosure bug in Gravity SMTP WordPress plugin
bleepingcomputer.com
Open sourceHackers Actively Exploiting WordPress SMTP Plugin With 100,000+ Installs to Access Sensitive Data
cybersecuritynews.com
Open sourceActive Gravity SMTP Vulnerability Exploited in the Wild
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
WordPress Email and Auth Plugins Expose Sites to Admin Takeover and Data Theft
Multiple critical flaws in widely deployed WordPress plugins exposed sites to administrator takeover through broken REST API authorization, weak JWT handling, and sensitive data leakage. In **Post SMTP**, `CVE-2025-24000` let any authenticated user read administrator-only email logs in versions through `3.2.0`, while `CVE-2025-11833` extended similar exposure to unauthenticated attackers in versions through `3.6.0`; because password reset messages were stored in those logs, attackers could reset admin passwords and seize control of affected sites. **RestroPress** (`CVE-2025-9209`) exposed user tokens through `/wp-json/wp/v2/users`, enabling forged JWTs and full admin access, and **miniOrange OAuth SSO** (`CVE-2025-9485`) accepted forged JWTs because signatures were not verified, allowing login as arbitrary users including administrators. **Copypress Rest API** (`CVE-2025-8625`) combined a hard-coded JWT signing key with unrestricted file upload to enable unauthenticated remote code execution. The pattern continued into active exploitation of **Gravity SMTP** (`CVE-2026-4020`), where an unauthenticated REST API endpoint exposed system reports containing WordPress and server details, plugin inventories, database information, and email-service credentials such as API keys, secrets, and OAuth tokens. Wordfence said exploitation required only a single request, reported blocking more than **17 million** attempts, and urged defenders to upgrade to `2.1.5` and rotate exposed third-party email credentials. Across the affected plugins, vendors issued fixes including **Post SMTP 3.3.0**, **miniOrange 6.26.13**, and **Gravity SMTP 2.1.5**, while the Copypress plugin was temporarily closed; the incidents underscore how exposed REST endpoints and flawed token validation can quickly turn routine plugin features into full site compromise paths.
Jun 17, 2026
Critical Post SMTP Plugin Vulnerability Enables Mass WordPress Site Takeover
A critical vulnerability in the *Post SMTP* WordPress plugin, tracked as CVE-2025-11833, has exposed over 400,000 WordPress sites to potential account and website takeover. The flaw, present in all plugin versions up to and including 3.6.0, stems from missing capability checks in the `__construct` function, allowing unauthenticated attackers to reset passwords for any user, including administrators. Wordfence, which received the initial bug report via its bounty program, has already blocked more than 4,500 attack attempts, and exploitation activity has accelerated since early November. Security researchers warn that at least 210,000 sites remain at risk, with attackers leveraging the vulnerability to access password reset messages and hijack admin accounts. Website owners are strongly advised to update to the patched version released on October 29 or disable the plugin to prevent compromise. The incident follows a previous security issue (CVE-2025-24000) affecting the same plugin, highlighting ongoing risks for sites relying on outdated or unpatched WordPress extensions.
Mar 21, 2026
Active Exploitation of Critical WordPress Plugin and Theme Vulnerabilities for Admin Account Hijacking
Threat actors are actively exploiting critical vulnerabilities in popular WordPress plugins and themes, enabling the hijacking of administrator accounts and full site compromise. The Post SMTP plugin, installed on over 400,000 WordPress sites, is affected by CVE-2025-11833, a flaw that allows unauthenticated attackers to read arbitrary logged emails, including password reset messages, due to missing authorization checks. This exposure enables attackers to reset admin passwords and take over sites. Wordfence has observed over 4,500 exploit attempts since November 1, and a patch was released in version 3.6.1, but a significant number of sites remain unpatched and vulnerable. Similarly, the JobMonster WordPress theme is being targeted via CVE-2025-5397, an authentication bypass vulnerability that allows attackers to hijack admin accounts when social login is enabled. The flaw arises from improper verification in the `check_login()` function, letting attackers fake admin access if they know the username or email. The issue is fixed in version 4.8.2, and users are urged to update, disable social login, and enable two-factor authentication. These incidents highlight the ongoing risk posed by unpatched WordPress components and the need for immediate mitigation to prevent site compromise.
Mar 21, 2026