Gravity SMTP WordPress plugin unauthenticated credential-dump (CVE-2026-4020)

CVE-2026-4020 is an unauthenticated information-disclosure flaw in the Gravity SMTP WordPress plugin (all versions through 2.1.4). A REST endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data ships with a permission_callback that unconditionally returns true; an unauthenticated request triggers the plugin's register_connector_data() routine, which returns a roughly 365 KB JSON system report containing API keys and OAuth tokens for every configured email connector (Amazon SES, Google Workspace, Mailjet, Resend, Zoho), plus WordPress/PHP versions, database configuration and the active-plugin inventory (The Next Web, 2026-06-20). The fix shipped in version 2.1.5 on 2026-03-17 (GitHub Advisory GHSA-jxfc-8wcq-xxcg), but mass exploitation began roughly two months later: defenders report on the order of 17 million blocked exploitation attempts, peaking in early June (The Next Web, 2026-06-20). WordPress is pervasive across European public-sector and government communications sites; any instance that ran a pre-2.1.5 version should be treated as having had its email-connector credentials harvested.

The vulnerability clears the § 2 bar on confirmed in-the-wild mass exploitation (vendor-blocked-request telemetry), not on a KEV/EUVD listing. Detection: web-server access logs for GET requests to /wp-json/gravitysmtp/v1/tests/mock-data (often with a ?page=gravitysmtp-settings parameter) from external IPs; a ~365 KB response body is a distinctive marker. Maps to T1190 Exploit Public-Facing Application → T1552.001 Unsecured Credentials: Credentials In Files. Remediation is two-step and the second step is the one most sites miss: upgrade to ≥ 2.1.5, then rotate every SES / Google / Mailjet / Resend / Zoho credential the plugin held, since the patch closes the leak but does not invalidate already-exfiltrated tokens.