Cybersecurity researchers are warning WordPress administrators about ongoing attacks targeting a recently fixed security flaw in the Gravity SMTP plugin, which is currently installed on nearly 100,000 websites.

The vulnerability, identified as CVE-2026-4020 and assigned a CVSS score of 5.3, is classified as a medium-severity information disclosure issue. The flaw enables unauthenticated attackers to access sensitive information, including configuration settings, API credentials, secrets, and OAuth tokens associated with the plugin’s email service integrations.

"This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it," Wordfence said.

"When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report."

By exploiting the weakness, attackers can gain access to a broad range of system details, including:

* PHP version

* Loaded extensions

* Web server version

* Document root path

* Database server type and version

* WordPress version

* Active plugins and their versions

* Active theme information

* WordPress configuration settings

* Database table names

* API keys and tokens configured for services such as Amazon SES, Google, Mailjet, Resend, and Zoho

Security experts note that the exposed information can be leveraged to obtain credentials that may allow malicious actors to send emails using the affected website’s connected services. Additionally, the extensive system information could help attackers identify further weaknesses and launch follow-up attacks.

"As with all sensitive information exposure vulnerabilities, the impact depends on what data is exposed," Wordfence added. "In this case, the exposure of live third-party API credentials means an attacker could abuse the site's connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site."

The issue has been addressed in Gravity SMTP version 2.1.5. However, threat actors have already begun actively exploiting vulnerable installations by sending unauthenticated HTTP GET requests to the affected REST API endpoint with the "?page=gravitysmtp-settings" parameter. These requests trigger the server to disclose valuable site information without requiring authentication.

According to Wordfence, more than 17 million exploitation attempts targeting CVE-2026-4020 have been blocked so far. Malicious activity was first observed in early May 2026 and surged significantly around June 6, 2026, peaking at more than 4 million requests within a single day.

The primary IP addresses associated with the attack activity include:

* 45.148.10.95

* 193.32.162.60

* 176.65.148.139

* 173.199.90.188

* 45.148.10.120

* 185.8.107.155

* 185.8.106.37

* 185.8.106.92

* 185.8.106.145

* 176.65.148.30

Website owners using affected versions of Gravity SMTP, particularly those with third-party email integrations enabled, are strongly advised to update to the latest version immediately. Security experts also recommend rotating all associated API credentials after updating, as a precautionary measure.

Administrators should further inspect server logs for requests originating from the identified IP addresses and review any suspicious activity involving the vulnerable API endpoint to determine whether their systems may have been targeted.