17 Million Exploit Attempts and Counting
Wordfence has blocked more than 17 million exploit attempts targeting a critical vulnerability in the Gravity SMTP WordPress plugin. The flaw, tracked as CVE-2026-4020, exposes API keys, OAuth tokens, and detailed system configuration data to any unauthenticated HTTP request. Gravity SMTP is installed on approximately 100,000 WordPress sites.
The Vulnerability: A Permission Callback That Always Returns True
The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data. The endpoint's permission_callback function unconditionally returns true, meaning no authentication check runs before the server processes the request. When an attacker appends the query parameter ?page=gravitysmtp-settings, the plugin's register_connector_data() method populates internal connector data, and the endpoint returns approximately 365 KB of JSON containing the site's full system report.
// Vulnerable code pattern (simplified)
register_rest_route( 'gravitysmtp/v1', '/tests/mock-data', array(
'methods' => 'GET',
'callback' => 'get_mock_data',
'permission_callback' => '__return_true', // BUG: should check user capabilities
) );
The patch (version 2.1.5, released March 17, 2026) fixes this by replacing __return_true with a proper capability check. However, exploitation did not begin until roughly two months later, suggesting attackers reverse-engineered the fix or discovered the flaw independently.
What Data Is Leaked?
The exposed data includes:
- API keys, secrets, and OAuth tokens for all configured email integrations (Amazon SES, Google, Mailjet, Resend, Zoho)
- WordPress version
- PHP version and loaded extensions
- Web server version
- Document root path
- Database server type and version
- All active plugins with version numbers
- Active theme
- Database table names
This gives attackers a detailed map of the site's software stack, significantly reducing reconnaissance effort for follow-on attacks.
Exploitation Timeline
- March 17, 2026: Patch released in Gravity SMTP 2.1.5
- March 31, 2026: CVE published
- Early May: First exploitation attempts observed by Wordfence
- May 22: CrowdSec deploys detection
- May 27: First real-world exploitation observed by CrowdSec
- June 6: Exploitation volume spikes sharply
- June 7: Wordfence blocks over 4 million requests in a single day
Attack traffic originates primarily from a cluster of IP addresses published by Wordfence. The key indicator of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in web server access logs, especially with ?page=gravitysmtp-settings.
Why It Matters for Developers
This is not a supply chain attack — it's a straightforward coding error. A permission callback that should have verified the requesting user's credentials instead returned true for every request. The simplicity of the flaw makes its survival through development, review, and release notable.
The exposure of API credentials is particularly dangerous because those credentials often persist even after the plugin is updated. Updating to version 2.1.5 closes the vulnerable endpoint, but it does not revoke or rotate the API keys that may have already been harvested.
Remediation Steps
Wordfence's advisory urges site owners running a vulnerable version of Gravity SMTP who have configured third-party email integrations to assume compromise. The recommended remediation:
- Update the plugin to version 2.1.5 or later
- Immediately rotate all API keys, secrets, and OAuth tokens configured in the plugin's email connectors
- Review server log files for requests from the published attacker IP addresses
Broader Context
This vulnerability is part of a larger pattern in WordPress plugin security. The flaw requires no authentication, targets a widely installed plugin, and returns high-value data in a single GET request, making it trivial to automate. WordPress's plugin ecosystem has faced repeated supply chain compromises in 2026, including an attack in which 30 plugins purchased on Flippa were backdoored.
Wordfence also issued a separate advisory for CVE-2026-8713, a critical unauthenticated arbitrary file-deletion vulnerability in the Avada Builder plugin (installed on ~1 million sites). That flaw allows attackers to delete files on the server through a path traversal bug. Deleting wp-config.php can revert a site to its initial setup state, potentially enabling a full takeover. A patch is available in version 3.15.4, with no active exploitation observed yet.
What You Should Do Now
If you manage a WordPress site with Gravity SMTP installed, update to version 2.1.5 immediately. Then rotate all API keys and OAuth tokens. Check your access logs for the indicator path. Do not assume you're safe just because you updated — the credentials may already be compromised.
