Critical Gravity SMTP WordPress Plugin Flaw Exploited in Mass Attacks Threat actors are actively exploiting a critical security vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020 (CVSS 5.3), to extract sensitive configuration data from over 100,000 websites. The flaw, affecting all versions up to and including 2.1.4, stems from an improperly secured REST API endpoint (`/wp-json/gravitysmtp/v1/tests/mock-data`) that lacks authentication checks. Unauthenticated attackers can retrieve a 365 KB JSON system report by appending the query parameter `?page=gravitysmtp-settings`, exposing details such as PHP versions, active plugins, database configurations, and API credentials for third-party email services including Amazon SES, Google, Mailjet, Zoho, and Resend. Compromised OAuth tokens and API keys enable attackers to hijack email functionality, impersonate domains, or conduct further reconnaissance-driven attacks. The vulnerability was responsibly disclosed on March 30, 2026, after the vendor released a patched version (2.1.5) on March 17, 2026. Despite its moderate CVSS score, exploitation has surged, with Wordfence blocking over 17 million attack attempts. The most intense activity occurred between June 7–11, 2026, peaking at 4 million blocked requests on June 7 alone. The attack requires only a single unauthenticated HTTP GET request, making it trivial to exploit at scale. Wordfence deployed firewall protections for premium users on May 5, 2026, and extended coverage to free users on June 4, 2026, after observing real-world exploitation exceeding initial severity assessments. Key indicators of compromise (IOCs) include the targeted endpoint (`/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings`) and multiple malicious IP addresses, such as 45.148.10.95 (linked to over 642,000 blocked attempts). Since the flaw does not modify files or inject payloads, evidence of compromise may only appear in web server access logs. Administrators are advised to update to Gravity SMTP 2.1.5 or later and rotate exposed API keys and OAuth tokens immediately. The incident highlights how low-severity vulnerabilities can escalate into high-impact threats when sensitive data is exposed on widely used platforms like WordPress.