Hackers have turned a coding blunder in the Gravity SMTP WordPress plugin into a gold mine for stealing secrets. The flaw leaks sensitive API keys and system data from over 100,000 sites with a single unauthenticated request.

The vulnerability, tagged CVE-2026-4020, resides in a REST API endpoint that skips all authentication. Anyone who queries /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings gets a massive 365 KB JSON dump. This report spills API keys, OAuth tokens, email service credentials, WordPress versions, server details, plugin lists, and database info.

This isn’t minor. Attackers can hijack email services like Amazon SES, Mailjet, Zoho, and Resend to send phishing emails or launch business email compromise attacks. The detailed system snapshot also lays out the site’s entire software stack, making it easier to find other weak spots.

Despite a patch released in March 2026, exploitation only exploded in May. Wordfence recorded over 17 million blocked attempts, with a peak of 4 million in a single day. The delay suggests attackers reverse-engineered the patch or found the flaw independently after it was publicized.

The flaw’s root cause is laughably simple: a permission callback that always returns true. No credentials needed. This basic mistake slipped through development and review, exposing high-value data on a widely installed plugin.

Wider Impact and Attack Patterns

The exposed data isn’t just a privacy headache. It lets attackers impersonate legitimate sites by abusing email credentials. They can send deceptive emails to customers, partners, or staff, increasing the risk of fraud.

Besides email hijacking, exposed plugin and server versions provide a blueprint for further attacks. Hackers can scan for known vulnerabilities in specific plugins or outdated software versions, amplifying their control. This reconnaissance tool lowers their effort and speeds up exploitation.

Most affected sites fall into two categories: e-commerce stores and small office/home office setups. Both tend to use transactional email services integrated with Gravity SMTP, meaning their API keys are ripe for theft. SOHO environments often lack robust monitoring, letting attackers operate with little resistance.

Automated scanners quickly adopted the exploit. CrowdSec tracked 412 unique attacking IPs within days of the first public exploitation. This is no targeted campaign. It’s a mass scanning operation looking for any vulnerable WordPress install.

Mitigation and What Comes Next

First, update Gravity SMTP to version 2.1.5 or later. The patch closes the vulnerable endpoint and fixes a related authentication bypass issue that could amplify damage. But patching isn’t enough.

API keys and OAuth tokens exposed before the patch must be rotated immediately. Stolen credentials don’t expire with an update. Sites left with old keys remain at risk of email abuse.

Site admins should also scan access logs for suspicious requests targeting the vulnerable endpoint. Blocking known malicious IPs can help, but it won’t stop determined attackers fully.

This incident underscores a painful truth: authentication checks on REST API endpoints are non-negotiable. Small coding errors can turn into large-scale data leaks. WordPress’s sprawling plugin ecosystem remains a juicy target—especially when security corners are cut.

Gravity SMTP’s flaw is a textbook example of how moderate-severity bugs can escalate into serious breaches. The plugin ecosystem’s complexity and patch delays mean attackers have plenty of time to exploit weaknesses before sites catch up.

WordPress admins, stop treating updates as optional. The threat landscape is relentless. Missing a patch today could mean handing your site’s keys to hackers tomorrow.