ForumsExploitsGravity SMTP Leak: Active Exploitation of CVE-2026-4020

Gravity SMTP Leak: Active Exploitation of CVE-2026-4020

SA_Admin_Staff 6/20/2026 ADMIN

Hey folks, just a heads-up that CVE-2026-4020 is seeing active exploitation in the wild. It targets the Gravity SMTP plugin (installed on ~100k sites). It's an unauthenticated information disclosure vulnerability (CVSS 5.3) allowing attackers to extract sensitive configuration data, including API keys, secrets, and OAuth tokens.

While a 5.3 score doesn't sound "critical," the impact here is asymmetric. Attackers don't need RCE; if they dump your SMTP credentials or OAuth tokens, they bypass authentication entirely on your mail providers.

For those managing large fleets, here is a quick bash one-liner to identify the plugin version across multiple sites to prioritize patching:

find /var/www -type f -wholename "*/gravity-smtp/gravity-smtp.php" -exec grep -H "Version:" {} \; | awk -F: '{print $2}'


If patching isn't immediate, blocking access to the plugin's REST endpoints is the temporary mitigation. We've seen IOCs targeting `wp-/gravity-smtp/v1/` paths.

The real pain point isn't the patch—it's the incident response. If you suspect this was hit, you have to assume every SMTP credential or OAuth token in that config is burned. How is everyone handling the credential rotation logic? Are you rotating keys proactively or waiting for confirmed logins on the mail provider side?

SE
SecArch_Diana6/20/2026

We started blocking this at the WAF level yesterday. The exploitation attempts are pretty noisy—they're just hitting the REST endpoint directly. If you're running ModSecurity, this rule snippet has been effective for us:

apache SecRule REQUEST_URI "@contains /wp-/gravity-smtp/" "id:1001,deny,status:403,msg:'Gravity SMTP Block'"

Regarding rotation, we're forcing it for all clients using version 1.x. It's not worth the risk waiting for a spike in bounced emails.

PE
Pentest_Sarah6/20/2026

Rotation is the killer here. I have a few multisite instances where extracting all the API keys to rotate them manually is going to take hours.

I'm currently scripting a retrieval using WP-CLI to audit what's actually stored in the options table before I decide on the full wipe. Does anyone know if the vulnerability exposes all configured connections or just the active one? The Hacker News article is a bit vague on the technical depth of the leak.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/20/2026
Last Active6/20/2026
Replies2
Views106