HomeIntelligenceBrief
VULNERABILITY BRIEF🟡 Medium Vulnerability

Unauthenticated Info‑Disclosure Bug in Gravity SMTP WordPress Plugin Exposes Email Service Credentials on ≈100 K Sites

A medium‑severity vulnerability (CVE‑2026‑4020) in the Gravity SMTP WordPress plugin lets anyone retrieve a system report containing API keys and server details. The exposure bypasses SOC 2 access‑control safeguards, highlighting the need for continuous control mapping and evidence collection.

LiveThreat™ Intelligence · 📅 June 20, 2026· 📰 bleepingcomputer.com
🟡
Severity
Medium
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Unauthenticated Info‑Disclosure Bug in Gravity SMTP WordPress Plugin Exposes Email Service Credentials on ≈100 K Sites

What Happened – A medium‑severity vulnerability (CVE‑2026‑4020) in the Gravity SMTP WordPress plugin allows anyone to query an unauthenticated REST endpoint and retrieve a JSON “System Report.” The report can contain API keys, OAuth tokens, and configuration details for third‑party email services (Amazon SES, Google, Mailjet, etc.).

Why It Matters for Compliance & Audit Readiness

  • The flaw bypasses SOC 2 Access Control requirements (CC6.1, CC6.2) by exposing secrets without authentication, creating a direct path to credential theft.
  • Continuous‑compliance programs must capture evidence that all third‑party integrations are protected by proper permission checks and that any discovered misconfigurations are remediated promptly.
  • Verisq’s Control‑Mapping capability lets you map this exposure to the relevant SOC 2 controls, collect real‑time evidence of remediation, and store it in the Trust Center for audit reviewers.

Who Is Affected – SaaS platforms, digital agencies, e‑commerce sites, and any organization running WordPress sites that have installed Gravity SMTP (estimated ≈100 k sites across multiple industries).

Recommended Actions

  • Immediately upgrade to Gravity SMTP v2.1.5 or later.
  • Review web server logs for requests to /wp‑json/gravitysmtp/v1/tests/mock-data and block offending IPs.
  • Conduct a control‑mapping exercise: map the plugin’s permission callback to SOC 2 CC6.1 (Logical Access Controls) and capture remediation evidence in your compliance repository.
  • Validate that all third‑party email API keys are rotated and stored in a secrets‑management solution.

Source: BleepingComputer

Technical Notes – The vulnerability stems from a REST endpoint whose permission_callback always returns true, allowing unauthenticated GET requests. No CVE‑specific exploit code is required; attackers only need to issue a simple HTTP request. The disclosed data includes API keys, OAuth tokens, WordPress version, installed plugins, server/PHP details, and database configuration. Source: same article

📰 Original Source
https://www.bleepingcomputer.com/news/security/hackers-exploit-info-disclosure-bug-in-gravity-smtp-wordpress-plugin/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →