Unauthenticated Info‑Disclosure Bug in Gravity SMTP WordPress Plugin Exposes Email Service Credentials on ≈100 K Sites
What Happened – A medium‑severity vulnerability (CVE‑2026‑4020) in the Gravity SMTP WordPress plugin allows anyone to query an unauthenticated REST endpoint and retrieve a JSON “System Report.” The report can contain API keys, OAuth tokens, and configuration details for third‑party email services (Amazon SES, Google, Mailjet, etc.).
Why It Matters for Compliance & Audit Readiness
- The flaw bypasses SOC 2 Access Control requirements (CC6.1, CC6.2) by exposing secrets without authentication, creating a direct path to credential theft.
- Continuous‑compliance programs must capture evidence that all third‑party integrations are protected by proper permission checks and that any discovered misconfigurations are remediated promptly.
- Verisq’s Control‑Mapping capability lets you map this exposure to the relevant SOC 2 controls, collect real‑time evidence of remediation, and store it in the Trust Center for audit reviewers.
Who Is Affected – SaaS platforms, digital agencies, e‑commerce sites, and any organization running WordPress sites that have installed Gravity SMTP (estimated ≈100 k sites across multiple industries).
Recommended Actions
- Immediately upgrade to Gravity SMTP v2.1.5 or later.
- Review web server logs for requests to
/wp‑json/gravitysmtp/v1/tests/mock-dataand block offending IPs. - Conduct a control‑mapping exercise: map the plugin’s permission callback to SOC 2 CC6.1 (Logical Access Controls) and capture remediation evidence in your compliance repository.
- Validate that all third‑party email API keys are rotated and stored in a secrets‑management solution.
Source: BleepingComputer
Technical Notes – The vulnerability stems from a REST endpoint whose permission_callback always returns true, allowing unauthenticated GET requests. No CVE‑specific exploit code is required; attackers only need to issue a simple HTTP request. The disclosed data includes API keys, OAuth tokens, WordPress version, installed plugins, server/PHP details, and database configuration. Source: same article