GoKawiilThreat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites.
The flaw is tracked as CVE-2026-4020 and received a medium severity rating. It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.
WordPress security company Defiant is warning that hackers are actively exploiting the vulnerability. The company's Wordfence firewall has blocked more than 17 million attempts against protected customers.
The issue stems from an exposed REST API endpoint in Gravity SMTP, whose ‘permission_callback’ always returns ‘true,’ allowing unauthenticated GET requests to receive a comprehensive JSON “System Report” generated by the plugin. The exposed information may contain:
API keys, secrets, and OAuth tokens for configured email integrations
Credentials for third-party email services, including Amazon SES, Google, Mailjet, Resend, and Zoho
WordPress configuration details, including installed plugins, themes, and software versions
Server and PHP environment information
Database configuration details, including server version and table names
Despite its medium-severity rating, the CVE-2026-4020 vulnerability can be exploited without authentication, and the exposed information can be used to steal email service credentials.
... continue reading