Gravity SMTP Plugin Flaw Leaks Credentials Across 100,000 Sites

A single unauthenticated HTTP GET request is all it takes to pull 365 kilobytes of credentials from a WordPress site running Gravity SMTP, and attackers have been doing exactly that since May. According to The Hacker News, security firm Wordfence has blocked more than 17 million exploit attempts tied to CVE-2026-4020, a flaw in Gravity SMTP's REST API layer that lets any unauthenticated visitor call a system-report endpoint and walk away with live API keys, OAuth tokens, and third-party email credentials.

The technical failure is almost banal in its simplicity. The vulnerable endpoint has a permission callback that unconditionally returns true, so no login is required. Append the right query parameter and the plugin returns a JSON payload containing PHP configuration, database table names, the site's full plugin inventory, and credentials for Amazon SES, Google, Mailjet, Resend, and Zoho. The CVSS score is a modest 5.3 because no data is written and no code executes, but the practical impact of leaking active email-service credentials is considerably higher: stolen SES keys let an attacker run phishing or spam campaigns billed to the victim's AWS account, and a compromised Google OAuth token can reach well beyond outbound email depending on what scopes were granted.

The scale of the campaign sharpens the concern. Exploitation peaked at over 4 million requests per day around June 6, and Wordfence traced the traffic to ten originating IP addresses, suggesting a coordinated automated sweep of the roughly 100,000 sites running the plugin rather than opportunistic probing. The patch landed in version 2.1.5, but a plugin update alone is not sufficient remediation here: credentials exposed before the update was applied remain valid until rotated, which means the cleanup window is longer and more manual than a simple one-click upgrade.

The reporting does not address how many of the 100,000 affected sites have actually updated, or what attackers are doing with harvested credentials beyond the obvious spam-and-phish scenario. There is also no disclosure timeline for when the flaw was reported to the plugin authors, so how long the window between discovery and patch stayed open is unclear.

For teams managing WordPress infrastructure the action is straightforward: update to 2.1.5 and immediately rotate every credential the plugin could have touched. The broader opportunity here sits with email providers: Amazon SES, Google, and Mailjet have visibility into sending-pattern anomalies and could, in principle, cross-reference keys appearing on threat-intelligence feeds to flag or suspend abuse before victims even know their credentials were taken. That kind of coordinated provider response is still rare, but a campaign this large and well-documented makes a reasonable case for it.