CVE-2026-4020

Name of the Vulnerable Software and Affected Versions Gravity SMTP versions prior to 2.1.5

Description The Gravity SMTP plugin for WordPress has a flaw that allows unauthorized access to sensitive information. A REST API endpoint located at '/wp-json/gravitysmtp/v1/tests/mock-data' does not require authentication due to a permission check that always allows access. Appending the '?page=gravitysmtp-settings' query parameter to the endpoint causes the register connector data() method to populate internal connector data. This results in the exposure of approximately 365 KB of JSON data, including detailed system configuration information such as PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with their versions, active theme, WordPress configuration details, database table names, and any API keys or tokens configured within the plugin.

Recommendations Update Gravity SMTP to version 2.1.5 or later.