We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Gravity SMTP Plugin Vulnerability (CVE-2026-4020)

Nick Paliughi
On this page

Security Alert Summary

The Gravity SMTP plugin for WordPress (all versions up to and including 2.1.4) exposes sensitive system configuration data through a publicly accessible REST API endpoint. An unauthenticated visitor can trigger the endpoint to return a large JSON system report that includes server, WordPress, plugin, theme, and API credential details.

CVE Details

  • CVE ID: CVE-2026-4020
  • Affected component: Gravity SMTP plugin for WordPress
  • Affected versions: All versions up to and including 2.1.4
  • Published: March 31, 2026 at 02:15:59 AM UTC
  • Last modified: March 31, 2026 at 02:15:59 AM UTC
  • CVSS v3.1: Base Score 7.5, Severity HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Authentication / privileges / user interaction: No authentication required (PR:N). No user interaction required (UI:N). Attack via network (AV:N), low complexity (AC:L).
  • Primary impact: Confidentiality: High; Integrity: None; Availability: None
  • CWE / weakness: CWE-200 (Exposure of Sensitive Information)

Technical Details

The plugin registers a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback unconditionally returns true, allowing unauthenticated access. When the query parameter ?page=gravitysmtp-settings is appended, the plugins register_connector_data() method populates internal connector data and the endpoint responds with approximately 365 KB of JSON containing the full System Report.

The returned report contains detailed system configuration and secrets discovered by the plugin, including but not limited to:

  • PHP version and loaded extensions
  • Web server version and document root path
  • Database server type and version
  • WordPress version, active plugins with versions, and active theme
  • WordPress configuration details and database table names
  • Any API keys or tokens configured in the plugin

This information is returned directly by the endpoint due to missing access control on the permission callback and the plugin logic that assembles connector/system data. The behavior is consistent with an information disclosure vulnerability rather than a flaw that modifies site state.

How This Could Impact Your Website

In a typical small-to-medium site environment, a site owner, an internal staff member (such as an editor), and an external contractor (for example, a developer or marketing consultant) may all rely on plugins and stored API keys to operate features. If the Gravity SMTP endpoint is accessible on a site running an affected version, an unauthenticated third party could retrieve configuration data that reveals server details, active plugins and versions, theme, database table names, and any API keys stored by the plugin.

Practical consequences include increased ability for attackers to perform targeted reconnaissance and craft social engineering or phishing campaigns aimed at staff or contractors, or to use exposed API keys in downstream systems where the same keys are accepted. The exposure is limited to information disclosure as described above; it does not itself describe remote code execution or direct integrity/availability impact.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor and lower-privileged accounts with access to admin-facing pages.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and audit plugin settings for stored secrets.
  • Monitor site activity and logs for unusual access to REST API endpoints or large JSON downloads.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Loco Translate Plugin Vulnerability (CVE-2026-4146)
Next Post
WordPress Security Bulletin: User Profile Builder Plugin Vulnerability (CVE-2026-3139)