What happened (quick and messy)
Short version: a privacy faceplant in the Gravity SMTP WordPress plugin has been abused to spill sensitive data from sites — including email service credentials. The plugin, used on roughly 100,000 installs, had a medium‑severity bug tracked as CVE-2026-4020 (CVSS 5.3) that accidentally handed a huge dump of internal settings to anyone who asked nicely (or rudely).
Here’s the technical bellyflop: a REST API endpoint was registered without a proper permission check. When an unauthenticated GET request includes the ?page=gravitysmtp-settings flag, the plugin builds out connector details and returns about 365 KB of JSON — basically the entire System Report — to the caller.
- PHP version and loaded extensions
- Web server software and document root
- Database type and version, plus table names
- WordPress version, active plugins (and their versions), active theme
- WordPress configuration bits and paths
- Third‑party email credentials and tokens (Amazon SES, Google, Mailjet, Resend, Zoho, etc.)
Because the leak can include live third‑party credentials, attackers can not only send emails pretending to be your site, they can also use the detailed environment info as a roadmap for deeper attacks.
Security researchers observed exploit attempts starting in early May 2026, then exploding in June — one spike topped millions of requests per day. A security vendor has recorded over 17 million blocked attempts targeting this flaw so far.
Notable source IPs that were used in the scans and attacks include:
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
What you should do right now (no, really, do it)
If you run Gravity SMTP and use any third‑party email integrations: assume those credentials could be compromised. The plugin authors released a fix in version 2.1.5. Patch immediately, or remove/disable the plugin until you can patch.
After updating, treat exposed secrets like they were dunked in a public fountain — revoke and replace them. In short: rotate credentials. That means regenerating API keys, OAuth tokens, and any secrets used by your mail providers.
- Update Gravity SMTP to version 2.1.5 or later ASAP.
- Rotate API keys and tokens used by the plugin (Amazon SES, Google, Mailjet, Resend, Zoho, etc.).
- Check server logs for suspicious requests to the vulnerable endpoint and for connections from the IPs listed above.
- Look for unexpected outgoing emails, unauthorized user accounts, or signs of follow‑up intrusion.
- If you can’t update immediately, disable the plugin and block requests to the REST endpoint at the webserver or firewall level.
Finally, take a breath, fix the mess, and consider tightening permissions and secrets management so a single bug can’t hand out your house keys. And yes, make backups — but maybe don’t store secrets in them.