A simple permission check that always returned true. That decision now haunts thousands of WordPress sites. Attackers scan for it relentlessly. They pull down hundreds of kilobytes of configuration data in a single unauthenticated request. And they walk away with live API keys for major email services.
The vulnerability sits inside Gravity SMTP, a plugin built to route transactional and marketing emails through providers such as Amazon SES, Google, Mailjet, Resend and Zoho. Roughly 100,000 active installations rely on it. Yet until version 2.1.5 arrived on March 17, 2026, any visitor could query a REST endpoint and receive a complete system report. The data dump ran about 365 kilobytes. It listed PHP versions, loaded extensions, database details, active plugins, theme information and, most damaging, every stored credential the plugin held.
Wordfence first disclosed the issue publicly on March 30. Researchers there assigned it CVE-2026-4020 and a CVSS score of 5.3. The rating reflected medium severity on paper. Reality proved far harsher. By early June the company’s firewall had already blocked more than 17 million exploit attempts. One day alone, June 7, saw over four million requests. Wordfence reported the surge and published attacker IP ranges for immediate blocking.
The flaw itself is almost embarrassingly straightforward. The endpoint lives at /wp-json/gravitysmtp/v1/tests/mock-data. Its permission_callback function returned true unconditionally. Add the query parameter ?page=gravitysmtp-settings and the plugin’s register_connector_data method eagerly assembles every connector’s secrets. No login. No nonce. Just data. CrowdSec observed the first confirmed in-the-wild attempts on May 27. Within days the pattern had become background noise in its global sensor network, meaning automated bots had folded the technique into routine scans. CrowdSec tracked 412 distinct attacking IPs in the initial window.
But. The real damage lies in what the JSON actually contains. Live API keys. OAuth tokens. Secrets that remain valid even after an administrator updates the plugin. Rotation becomes mandatory. Yet many site owners treat plugin updates as optional maintenance rather than urgent incident response. That delay turns a patched vulnerability into persistent credential exposure.
Osvaldo Noe Gonzalez Del Rio, the researcher credited in several databases, uncovered the bug through standard REST API enumeration. His findings reached Wordfence’s threat intelligence team, which quickly mapped the full impact. The exposed system report does more than leak credentials. It hands attackers a precise blueprint: exact WordPress version, every installed plugin and its release number, database table prefixes, document root paths. Follow-on exploits become surgical instead of speculative.
And the timing matters. The patch shipped in mid-March. Public disclosure followed two weeks later. Exploitation only accelerated in late May. That two-month gap suggests either delayed discovery by threat actors or deliberate waiting until attention shifted elsewhere. Either way, the window exposed a classic security reality. Patches sit idle while sites linger on vulnerable code.
Similar patterns have appeared across the WordPress ecosystem this year. Backdoored plugins purchased through marketplaces and left dormant for months before activation. Arbitrary file deletion bugs in popular page builders. Each incident reinforces the same lesson. Popularity does not equal scrutiny. Gravity SMTP’s 100,000 installs made it an attractive target once the flaw became known.
Site administrators face concrete steps now. Update to version 2.1.5 or newer immediately. Then locate every configured email connector inside the plugin settings. Generate fresh keys at the provider side. Revoke the old ones. Finally, search server access logs for the telltale endpoint. Any hit accompanied by that specific query parameter signals compromise. The National Vulnerability Database lists the CVE but notes limited enrichment due to resource constraints, directing readers to the original Wordfence analysis and the vendor changelog.
Security firms continue to watch the traffic. SentinelOne and others cataloged the issue in their databases shortly after disclosure. The Hacker News and additional outlets picked up the story as attack volumes climbed. Recent coverage on June 20 confirmed the campaign remains active, with opportunistic actors harvesting credentials that can fuel phishing or business email compromise campaigns.
Yet the broader implication stretches past one plugin. WordPress powers more than 40 percent of the web. Its plugin directory contains tens of thousands of extensions, many maintained by small teams or individual developers. A single overlooked callback can expose infrastructure at global scale. Organizations that treat these tools as set-and-forget infrastructure accept hidden risk. Those who audit permissions, rotate secrets on any update, and monitor logs stand a better chance.
The attacks show no sign of slowing. Wordfence continues to block millions more attempts each week. Attackers add the endpoint to their scanning lists and move on. For site owners still running versions 2.1.4 and below, the clock runs. Update. Rotate. Review logs. Anything less invites the next request that walks off with the keys.
WebProNews is an iEntry Publication