The flaw, tracked as CVE-2026-4020, affects all versions up to 2.1.4 and was fixed in 2.1.5 released March 17.

Security guidance and promotional material from Picus emphasize layered defense and detections across SIEM/EDR in response to breaches and attacks.

Defiant/Wordfence reports that the flaw is actively exploited, with over 17 million blocked attempts and a peak of about 4 million requests in a single day around June 7.

Attackers can use exposed credentials to impersonate the site, abuse connected email services, and gather detailed system information to plan further attacks.

A notable indicator of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data, especially with the query ?page=gravitysmtp-settings in logs.

Wordfence notes that impact depends on what data is exposed, but exposure of live API credentials and server details significantly facilitates follow-on attacks.

Exploitation occurs when the endpoint is called with ?page=gravitysmtp-settings, returning about 365 KB of JSON containing the full System Report.

The exposed data includes detailed system information, WordPress configuration, database details, and API keys/tokens for third-party email services such as Amazon SES, Google, Mailjet, Resend, and Zoho.

There is a vulnerability in Gravity SMTP, a WordPress plugin used on about 100,000 sites, that allows unauthenticated attackers to access sensitive data through a REST API endpoint due to a permissive permission check.

The System Report that is exposed contains sensitive data including API keys, secrets, OAuth tokens for email integrations, credentials for third-party services, WordPress config, and server/PHP environment and database details.

Separately, there is a critical unauthenticated arbitrary file-deletion vulnerability in the Avada Builder plugin (CVE-2026-8713) fixed in 3.15.4; no active exploitation noted.

The flaw is CVE-2026-4020 with a medium severity (CVSS 5.3) and saw rapid exploitation after a patch was released in Gravity SMTP 2.1.5.