Unauthenticated Sensitive Information Exposure in Gravity SMTP for WordPress
CVE-2026-4020 is a sensitive information exposure vulnerability in the Gravity SMTP plugin for WordPress affecting all versions up to and including 2.1.4. The issue is caused by a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback unconditionally returns true, making the endpoint accessible without authentication. When the request includes the query parameter page=gravitysmtp-settings, the plugin's register_connector_data() method populates internal connector data and the endpoint returns an approximately 365 KB JSON System Report. The exposed report can include PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, WordPress configuration details, database table names, active plugins and their versions, the active theme, and API keys, secrets, and OAuth tokens configured for Gravity SMTP email integrations.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Recent activity
79 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Unauthenticated information disclosure vulnerability in the WordPress Gravity SMTP plugin that exposes API keys, OAuth tokens, mail service credentials, and detailed server configuration data via a REST API endpoint.
An unauthenticated information disclosure vulnerability in the WordPress Gravity SMTP plugin caused by an exposed REST API endpoint that allows attackers to retrieve sensitive system reports containing API keys, OAuth tokens, credentials, WordPress configuration, server information, and database configurations.
A sensitive information exposure vulnerability in the Gravity SMTP WordPress plugin that allows unauthenticated attackers to access an exposed REST API endpoint and retrieve internal connector data, including system details, configuration information, and API keys/tokens.
An information disclosure vulnerability in the Gravity SMTP WordPress plugin that allows unauthenticated access to sensitive system report data, including configuration details, API keys, secrets, and OAuth tokens, via an exposed REST API endpoint.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.