CVE-2026-4020

Name of the Vulnerable Software and Affected Versions Gravity SMTP versions prior to 2.1.5

Description A sensitive information exposure issue exists in the Gravity SMTP plugin for WordPress. The flaw is caused by a REST API endpoint registered at '/wp-json/gravitysmtp/v1/tests/mock-data' with a permission callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the page query parameter is set to 'gravitysmtp-settings', the register connector data() function populates internal connector data, resulting in the endpoint returning approximately 365 KB of JSON containing a full System Report. This allows unauthenticated attackers to retrieve detailed system configuration data, including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, active plugins and their versions, active theme, WordPress configuration details, database table names, and configured API keys, secrets, or OAuth tokens. An estimated 100,000 sites are potentially affected, and over 17 million exploit attempts have been blocked by security services.

Recommendations Update to version 2.1.5. Immediately rotate all API keys, secrets, and OAuth tokens configured within the plugin if a vulnerable version was used. As a temporary workaround, restrict access to the '/wp-json/gravitysmtp/v1/tests/mock-data' endpoint to minimize the risk of exploitation.