CVE-2026-4020 · The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4.

01 · The Real Story

This is the building directory in your lobby handing out master-key copies to anyone who asks

CVE-2026-4020 is an unauthenticated REST API exposure in the Gravity SMTP WordPress plugin affecting all versions <= 2.1.4, fixed in 2.1.5. A request to /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings can return a large system report with WordPress versioning, active plugins, server details, database metadata, paths, and potentially mail-provider API keys or tokens configured in the plugin.

The vendor's 7.5 HIGH baseline is directionally right, but the reason is not pure confidentiality loss in the abstract. In practice this is a low-friction internet-facing recon primitive that can expose reusable secrets and sharply improve follow-on exploitation, while the main downward pressure is population size: Gravity SMTP is a premium plugin tied to a Gravity Forms Elite/Nonprofit license, so the exposed population is much smaller than a mass-market free SMTP plugin.

"Unauthenticated internet recon that can spill API keys is patch-now HIGH, not hand-wavy info leak noise"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Fingerprint a reachable WordPress target

The attacker starts with commodity WordPress discovery, then probes the known plugin route using a Nuclei template or a one-line curl request. This is standard botnet-grade scanning, not tailored intrusion work.

Conditions required:

Target site is internet reachable
WordPress is reachable over HTTP/S
Gravity SMTP is installed

Where this breaks in practice:

Premium-plugin install base is materially smaller than free SMTP plugins
Some sites sit behind CDN/WAF rules that block noisy route probing
Internal-only or VPN-gated WordPress admin stacks reduce reachable population

Detection/coverage: Good network-side coverage if you already log wp-json requests. ProjectDiscovery added a Nuclei template, and WAFs can match the exact REST path plus page=gravitysmtp-settings.

STEP 02

Pull the exposed system report

The vulnerable endpoint's permission callback effectively allows unauthenticated access. Appending the settings page parameter causes the plugin to populate connector data and return roughly 365 KB of JSON describing the environment.

Conditions required:

Site runs Gravity SMTP <= 2.1.4
The REST path is not blocked upstream
No custom hardening has removed or filtered the endpoint

Where this breaks in practice:

Patched sites on 2.1.5+ stop this cold
Some WAFs or managed WordPress hosts may already have virtual patching
Certain deployments may expose less useful data depending on plugin configuration

Detection/coverage: Direct HTTP probing is easy to catch in reverse-proxy, CDN, or web-server logs. Vulnerability scanners can verify by requesting the route and checking for Gravity SMTP report markers.

STEP 03

Harvest secrets and stack intelligence

Attackers parse the JSON for mail connector settings, provider names, API keys/tokens, active plugin inventory, theme data, paths, and version numbers. That turns a generic WordPress target into an annotated roadmap for credential abuse, targeted chaining, and infrastructure profiling.

Conditions required:

Returned report includes configured connector or environment data
Attackers can parse JSON output at scale

Where this breaks in practice:

Not every installation will contain live reusable secrets
Some sensitive fields may be absent or already rotated
Leaked data alone does not guarantee site takeover

Detection/coverage: Low host-side telemetry unless you inspect web responses or WAF events. Secret-scanning of the returned JSON in a controlled validation environment is useful to determine blast radius.

STEP 04

Chain into abuse or follow-on compromise

The exposed report can support phishing infrastructure abuse via leaked mail-provider credentials, targeted exploitation of other vulnerable plugins listed in the report, or privilege-focused follow-on attacks using precise environment knowledge. This is why the bug matters more than a sterile 'info disclosure' label suggests.

Conditions required:

Leaked report contains reusable secrets or actionable version intel
Target also has another exploitable weakness or valuable mail account

Where this breaks in practice:

Requires a second action after disclosure; this is not one-shot RCE
Modern provider-side controls may flag anomalous API-key use
Chaining depends on what else is installed and exposed

Detection/coverage: Mail-provider audit logs, WAF telemetry, Wordfence/Patchstack virtual patch hits, and follow-on exploit traffic against enumerated plugins are the best signals.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Yes, exploitation evidence exists. CrowdSec reports first observed exploitation on `2026-05-27`; by `2026-06-01` it had seen `412` attacking IPs and classified activity as background noise.
KEV status	Not KEV-listed as of `2026-06-01`. CISA's catalog does not list `CVE-2026-4020`, though CISA ADP earlier tagged exploitation as `none` on `2026-04-02` before later third-party exploitation telemetry appeared.
PoC / scanner availability	Public detection exists. ProjectDiscovery's `nuclei-templates` release notes include a `CVE-2026-4020` template; Atomic Edge also published a public proof-of-concept page.
EPSS	Current public telemetry is mixed over time. User-supplied EPSS was `0.12901`; more recent public references show about `6.02%` and `~90.7th percentile`. Treat it as non-trivial exploit probability, but less important than the direct exploitation telemetry.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` means unauthenticated remote reach with no user interaction. That's fair mechanically, but it overstates uniform impact because not every exposed report contains high-value secrets.
Affected versions	`Gravity SMTP <= 2.1.4`.
Fixed version	`2.1.5` with vendor changelog entry `Added security enhancements`. No distro backport channel is relevant here; this is a WordPress plugin update.
Exposure population	Reachability is broad, install base is narrower. Any public WordPress site running the plugin can be probed anonymously, but Gravity SMTP is only available with an active Gravity Forms Elite or Nonprofit license, which materially limits population versus free SMTP plugins.
Observed attack volume	Wordfence reported `11,516` blocked attacks in the prior 24 hours on its record page; CrowdSec separately reports hundreds of attacking IPs. There is no reliable Shodan/Censys banner count for plugin-specific exposure, so telemetry beats internet census here.
Disclosure / credit	Publicly disclosed around `2026-03-30` to `2026-03-31` depending on source. Research credit goes to Osvaldo Noe Gonzalez Del Rio (Os).

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to HIGH (8.0/10)

The decisive factor is unauthenticated remote reachability with real exploitation evidence: this is internet-scale recon that can leak reusable mail-provider secrets, not an academic local-only data leak. The strongest downward pressure is population size, because Gravity SMTP is a premium plugin and not every exposed report contains credentials that immediately translate into full compromise.

HIGH Affected version range and patch version

HIGH Unauthenticated exploitation path through the REST endpoint

MEDIUM Current real-world prevalence across enterprise WordPress estates

MEDIUM Post-disclosure exploitation intensity and downstream chaining impact

Why this verdict

Unauthenticated remote step: no login, no user click, no internal foothold. That keeps the vendor baseline high and removes the usual 'post-initial-access only' discount.
Active exploitation evidence: CrowdSec observed exploitation beginning 2026-05-27, and Wordfence shows meaningful blocked attack volume. Once WordPress bot traffic picks up a route like this, exposure becomes operational, not theoretical.
Impact is often more than config trivia: the report can include mail-provider API keys/tokens plus full plugin inventory and environment details, which directly amplifies follow-on abuse.
Population friction lowers the ceiling: Gravity SMTP is tied to a paid Gravity Forms license, so the reachable victim pool is materially smaller than free plugins with hundreds of thousands of public installs.
Chaining requirement prevents a Critical jump: for many victims this is still reconnaissance or secret exposure that needs a second move before site takeover or tenant-wide damage.

Why not higher?

This is not direct RCE, auth bypass, or one-shot admin takeover. The worst outcomes depend on what the returned report actually contains and whether the attacker can reuse exposed secrets or chain into another weakness. The premium-plugin install base also reduces mass population compared with the free-plugin disasters that justify CRITICAL.

Why not lower?

A MEDIUM would underweight the two things defenders actually care about: it is unauthenticated over the internet, and there is now exploitation telemetry. Even when no key is exposed, the endpoint still hands attackers a precise software bill of materials and environment profile for the target, which materially increases follow-on risk.

05 · Compensating Control

What to do — in priority order.

Block the vulnerable REST route now — Push a CDN/WAF/reverse-proxy rule for /wp-json/gravitysmtp/v1/tests/mock-data and specifically the page=gravitysmtp-settings variant. Because there is exploitation evidence, do this immediately, within hours, not on a monthly rules cycle.
Rotate exposed mail-provider secrets — If the endpoint was reachable from the internet at any time, assume connector API keys and tokens may have been exposed and rotate SendGrid/Mailgun/Postmark/Brevo/O365 credentials the same day. This closes the most damaging follow-on path even before all sites are patched.
Constrain public wp-json exposure where feasible — Use origin ACLs, bot management, or route-level policy to reduce unauthenticated access to unnecessary REST paths while preserving application functionality. Apply as an emergency risk reduction measure within hours for internet-facing estates that cannot patch immediately.
Review web and provider logs for this exact path — Search CDN, reverse-proxy, and web-server logs for requests to the vulnerable path and correlate with outbound email-provider usage anomalies. Start triage immediately, within hours, because exploitation is already being automated.
Disable or remove the plugin where unused — If Gravity SMTP is dormant, duplicated by another mail plugin, or only present on templates, remove the reachable surface entirely. For HIGH with exploitation evidence, complete this cleanup as soon as practical, starting now.

What doesn't work

MFA does not help against an unauthenticated public REST endpoint.
Hiding /wp-admin or changing login URLs doesn't matter; the vulnerable path is under wp-json`, not the login flow.
Endpoint monitoring without blocking is too passive once bot traffic has already operationalized the route.
Relying on plugin auto-updates eventually is not a mitigation plan when secrets may already have been disclosed.

06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation, bastion, or CI runner that can reach the target site over HTTPS. Invoke it as bash check-cve-2026-4020.sh https://example.com; no credentials are required, and no privileged access is needed because the test only performs a safe GET against the public REST path.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-4020.sh
# Detects likely exposure for CVE-2026-4020 on a public WordPress site.
# Usage: bash check-cve-2026-4020.sh https://example.com
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=usage/runtime error

set -u

if [ $# -ne 1 ]; then
  echo "Usage: $0 https://example.com"
  exit 3
fi

BASE="$1"
BASE="${BASE%/}"
URL="$BASE/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings"
TMP_BODY="$(mktemp)"
trap 'rm -f "$TMP_BODY"' EXIT

HTTP_CODE=$(curl -ksS -A "noisgate-cve-check/1.0" -m 20 -o "$TMP_BODY" -w "%{http_code}" "$URL")
CURL_RC=$?

if [ $CURL_RC -ne 0 ]; then
  echo "UNKNOWN - request failed to $URL"
  exit 2
fi

BODY_SIZE=$(wc -c < "$TMP_BODY" | tr -d ' ')

# Heuristics based on public advisories: vulnerable responses can be large JSON reports
# containing WordPress/system metadata and plugin inventory.
if [ "$HTTP_CODE" = "200" ]; then
  if grep -Eqi 'wordpress|active plugins|document root|database|php version|loaded extensions|theme' "$TMP_BODY"; then
    echo "VULNERABLE - endpoint returned identifiable system report content (HTTP 200, ${BODY_SIZE} bytes)"
    exit 1
  fi

  if [ "$BODY_SIZE" -ge 50000 ]; then
    echo "VULNERABLE - endpoint returned unusually large data consistent with exposed report (HTTP 200, ${BODY_SIZE} bytes)"
    exit 1
  fi

  if grep -Eq '^[[:space:]]*\{' "$TMP_BODY"; then
    echo "UNKNOWN - endpoint returned JSON but did not match strong report indicators (HTTP 200, ${BODY_SIZE} bytes)"
    exit 2
  fi
fi

if [ "$HTTP_CODE" = "401" ] || [ "$HTTP_CODE" = "403" ] || [ "$HTTP_CODE" = "404" ]; then
  echo "PATCHED - endpoint not publicly exposed in a vulnerable way (HTTP $HTTP_CODE)"
  exit 0
fi

if [ "$HTTP_CODE" = "200" ]; then
  echo "PATCHED - no strong signs of the vulnerable report were returned (HTTP 200, ${BODY_SIZE} bytes)"
  exit 0
fi

echo "UNKNOWN - unexpected HTTP status $HTTP_CODE from $URL"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this like an internet-facing secret spill: identify every site running Gravity SMTP, block the vulnerable REST path and start log review immediately, within hours because there is exploitation evidence in the wild, which overrides the normal noisgate mitigation SLA for a HIGH. Then move all affected sites to 2.1.5+, rotate any configured mail-provider credentials if exposure was possible, and complete remediation on an expedited change window; the formal noisgate remediation SLA for HIGH is <= 180 days, but waiting that long for a public unauthenticated disclosure route is not a serious enterprise posture.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.