What is CVE-2026-4020?

CVE-2026-4020 is the official identifier for the security vulnerability in Gravity SMTP. It's a flaw that allowed hackers to access sensitive configuration data, including API keys and email credentials, without needing to log in to a website.

How do I know if my WordPress site is affected?

Your site is potentially affected if you use the Gravity SMTP plugin and have not updated it to version 2.1.5 or later. The vulnerability affects all versions up to 2.1.4. You should check your plugin versions immediately and ensure all software is up to date.

What should I do if my site uses Gravity SMTP?

You must update the Gravity SMTP plugin to version 2.1.5 or newer immediately. After updating, you should assume your API keys and email credentials have been compromised. Revoke and reissue all API keys for any third-party email services (like Amazon SES, Google, Mailjet, Zoho) that were configured in Gravity SMTP. Also, change any associated email passwords. Consider a thorough security scan of your site.

What can hackers do with stolen API keys and email credentials?

With stolen API keys and email credentials, hackers can send unauthorized emails from your website's domain, impersonating your business or you. This can be used for spam, phishing attacks, or distributing malware, leading to reputational damage, blacklisting of your domain, and potential legal issues.

Image: courtesy of Thenextweb

techJune 21, 2026By Veridact EditorialUpdated Jun 21

Mass Exploitation of Gravity SMTP Flaw Exposes API Keys on 100,000 WordPress Sites

Hackers are actively exploiting a critical vulnerability, CVE-2026-4020, in the Gravity SMTP WordPress plugin. This flaw has allowed attackers to steal sensitive API keys, email credentials, and server information from approximately 100,000 WordPress websites. Security firm Wordfence reports blocking over 17 million exploit attempts against its customers. The vulnerability was patched in version 2.1.5 of the plugin on March 17, 2026, but widespread exploitation only began roughly two months later, peaking in June 2026, highlighting significant delays in patch adoption across the WordPress ecosystem.

What to Expect

Website owners using the Gravity SMTP plugin, particularly those running versions 2.1.4 or older, face an immediate and severe risk of data compromise. The current wave of attacks suggests that unpatched sites are prime targets for automated credential harvesting. Owners should expect potential disruption to email services, unauthorized email sending, and broader security breaches if the stolen API keys provide access to other linked services. The sheer scale of the attack indicates that the fallout will likely continue as attackers attempt to monetize or further exploit the stolen data.

Key Context

The vulnerability, tracked as CVE-2026-4020, resides in the Gravity SMTP plugin, an email delivery tool installed on roughly 100,000 WordPress websites. Wordfence, a prominent WordPress security company, rated the flaw with a CVSS score of 5.3, indicating a moderate to high severity. The core issue stems from an exposed REST API endpoint within the plugin, where a critical 'permission_callback' function was incorrectly configured to always return 'true'. This oversight allowed any unauthenticated user to send GET requests and retrieve a comprehensive JSON object containing sensitive configuration data. This data includes API keys for various email services like Amazon SES, Google, Mailjet, and Zoho, alongside email credentials and detailed server information. The Gravity SMTP team released a patch in version 2.1.5 on March 17, 2026. However, mass exploitation did not commence until approximately two months later, suggesting that attackers either reverse-engineered the patch to understand the vulnerability or independently discovered the flaw once the patch drew attention to the component.

Historical Patterns

The current Gravity SMTP attack follows a familiar pattern within the WordPress security landscape. Vulnerabilities in widely used plugins are often discovered and patched, but a significant portion of the user base fails to update promptly. Attackers frequently monitor patch releases for popular software, using the fixes themselves as a roadmap to identify and exploit unpatched systems. This 'patch gap' — the time between a patch release and its widespread adoption — creates a window of opportunity for malicious actors. Past incidents involving plugins like WP Statistics, Essential Addons for Elementor, and various theme vulnerabilities have demonstrated similar trajectories, where initial discovery and patching are followed by waves of mass exploitation against sites that remain outdated. The sheer volume of WordPress installations, combined with the often decentralized management of individual sites by non-technical owners, makes this ecosystem particularly susceptible to such large-scale, automated attacks. The incentive for attackers is clear: a single exploit can yield access to tens of thousands of sites, providing a vast pool of credentials for further malicious activities.

The compromise of 100,000 WordPress sites is a significant event, impacting businesses, personal blogs, and e-commerce platforms globally. For site owners, the immediate concern is the theft of API keys and email credentials. These keys are digital passports, granting access to third-party services like email sending platforms. With these credentials, attackers can send spam, launch phishing campaigns from a seemingly legitimate domain, or even impersonate the website owner. This can lead to severe reputational damage, loss of user trust, and potential financial liabilities. Beyond direct email compromise, the exposure of server information and OAuth tokens could provide attackers with further footholds into a site's infrastructure, potentially leading to website defacement, data breaches, or the installation of malware. This incident also highlights a systemic issue in the broader internet: the critical reliance on third-party plugins and the collective failure of many site owners to maintain timely security updates. It is a stark reminder that digital security is not a one-time setup but an ongoing, active responsibility.

Potential Outcomes

Analysis

The ongoing exploitation of the Gravity SMTP flaw points to several immediate and longer-term consequences.

One likely outcome is a surge in phishing and spam campaigns originating from compromised WordPress sites. Attackers now possess legitimate email sending credentials, making their malicious emails far more likely to bypass spam filters and reach inboxes. This could severely damage the reputation of affected domains and lead to a significant increase in user complaints for email providers.

A second potential outcome is a renewed push for automated security updates within the WordPress ecosystem. While WordPress core often updates automatically, plugin updates are frequently left to site administrators. This incident could prompt hosting providers or security vendors to offer more aggressive, managed patching services for critical vulnerabilities, or for WordPress itself to explore mechanisms for more automated plugin security updates, at least for severe flaws.

A third consequence will be a period of intense cleanup and recovery for the affected 100,000 sites. Owners will need to update the plugin, revoke and reissue all compromised API keys and credentials, and conduct thorough security audits to ensure no further backdoors were installed. This process is often complex and time-consuming, especially for less technically proficient users, and may require professional assistance, leading to unforeseen costs and operational disruptions. The data stolen may also be compiled and sold on dark web marketplaces, creating a persistent threat of future attacks even after sites are secured.

Timeline

2026-03-17

Patch Released

Gravity SMTP releases version 2.1.5, which includes a fix for the vulnerability, CVE-2026-4020.

2026-05-17

Exploitation Begins (Approximate)

Roughly two months after the patch, mass exploitation of the flaw begins, suggesting attackers reverse-engineered the fix or discovered the vulnerability independently.

2026-06-20

Mass Exploitation Confirmed

Security firms report mass exploitation of the Gravity SMTP flaw, with over 17 million exploit attempts blocked and approximately 100,000 WordPress sites compromised.

2026-06-21

Peak Exploitation

Exploitation of the vulnerability is reported to have peaked in June 2026, with active credential theft ongoing.

Frequently Asked Questions

Gravity SMTP is a WordPress plugin designed to improve email reliability for websites. It helps ensure emails sent from a WordPress site (like password resets, contact form submissions, or order confirmations) are delivered correctly by routing them through dedicated email services using API keys or SMTP credentials.

Discussion

Be the first to share your thoughts.