A WordPress mail plugin should not publish your infrastructure blueprint
The CrowdSec Network is tracking CVE-2026-4020, an information disclosure vulnerability in the Gravity SMTP WordPress plugin from RocketGenius. The issue was published on 31 March 2026, CrowdSec released detection coverage on May 22, and the first observed in-the-wild exploitation was on 27 May. As of 1 June, CrowdSec has seen 412 distinct attacking IPs targeting the bug, and exploitation has already shifted into Background Noise. That means this is no longer niche researcher traffic or one-off probing. Attackers have added it to the checklist.
Key findings
- The exposure is operationally useful to attackers: unauthenticated requests can return a large system report containing WordPress version details, active plugins, server information, database metadata, and, in some cases, API keys or tokens configured in the plugin.
- The activity is already broad enough to matter: CrowdSec has observed 412 distinct attacking IPs between May 27 and June 1, with week-over-week telemetry showing a clear increase in exploitation pressure.
- The target mix is business-relevant: most observed victim activity falls in commerce environments (55%) and SOHO deployments (39%). Here, SOHO refers to small office and home office environments, which are a familiar target set for opportunistic WordPress attacks seeking easy follow-on access.
What is Gravity SMTP?
Gravity SMTP is a WordPress plugin designed to improve email delivery for websites built on the WordPress ecosystem. It helps site owners and administrators connect WordPress to external mail providers so contact forms, notifications, account messages, and transactional email actually reach users instead of disappearing into the void.
Why it matters: email plugins tend to sit in a quietly privileged place. They are trusted by administrators, connected to external services, and often configured with credentials, tokens, and detailed environment settings. When a bug exposes that data, attackers do not just learn that a plugin is installed. They get a map of the house. And once someone has the floor plan, the next break-in gets much easier.
How does CVE-2026-4020 work?
According to the public vulnerability record and detection materials, the flaw stems from a REST API endpoint exposed without proper access controls. In affected versions of Gravity SMTP, the endpoint /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings can be queried by an unauthenticated visitor because the permission check always returns true.
That request can trigger the plugin to assemble and return a detailed system report in JSON format. The exposed data may include:
- PHP and web server versions
- loaded extensions and document root paths
- WordPress version and active theme details
- a list of installed plugins and versions
- database platform and table details
- plugin configuration values, including possible API keys or tokens
This is not remote code execution by itself, but it is exactly the kind of exposure attackers love during the reconnaissance phase. It helps them tailor follow-on attacks, identify additional weak plugins, and prioritize targets with useful secrets already exposed.
Original publication: Wordfence vulnerability record for CVE-2026-4020
Additional reference: Patchstack advisory for Gravity SMTP
Detection reference: ProjectDiscovery Nuclei template for CVE-2026-4020
Follow the research teams here: Wordfence on LinkedIn and X, Patchstack on LinkedIn and X
Threat Landscape Analysis
CrowdSec telemetry currently classifies this activity as Background Noise, which is often the least dramatic label with the most practical meaning. It means the bug has entered the routine automation layer of the internet. Attackers are not carefully selecting one or two high-value targets. They are sweeping large numbers of WordPress sites in search of easy wins.
The geographic spread supports that reading. The top observed attacking countries include France, the Netherlands, and the United States, which is more consistent with distributed cloud and hosting infrastructure than with a narrowly targeted campaign. On the victim side, commerce environments stand out most clearly, followed by SOHO deployments. That pattern fits the kind of WordPress attack traffic that prioritizes scale, monetization potential, and weak patch discipline.
The most important detail in the CrowdSec context is intent. The strongest observed attacker objective for this CVE is infrastructure takeover (83%), far ahead of pure data theft. In other words, the exposed report is useful because it helps attackers decide how to come back with something worse.
How to protect your systems
Patch: Upgrade Gravity SMTP immediately to version 2.1.5 or later. All versions up to and including 2.1.4 are affected.
Preemptive blocking: If you cannot patch right away, place a protective layer in front of internet-facing WordPress sites. The CrowdSec Security Engine and CrowdSec WAF can help detect and block hostile probing before attackers chain this into a larger compromise.
Stay proactive: For instant monitoring of how this CVE evolves, follow the CrowdSec Live Exploit Tracker for CVE-2026-4020.