CVE-2026-4020
Received Received - Intake
Sensitive Information Exposure in Gravity SMTP WordPress Plugin

Publication date: 2026-03-31

Last updated on: 2026-03-31

Assigner: Wordfence

Description
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4020
EUVD
EUVD-2026-17277
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gravityforms gravity_smtp to 2.1.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Gravity SMTP plugin for WordPress up to version 2.1.4 has a vulnerability that allows sensitive information exposure. This happens because a REST API endpoint (/wp-json/gravitysmtp/v1/tests/mock-data) has a permission callback that always returns true, meaning anyone can access it without authentication.

When the query parameter ?page=gravitysmtp-settings is added, the plugin returns a large JSON response (about 365 KB) containing a full System Report. This report includes detailed system configuration data such as PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with their versions, active theme, WordPress configuration details, database table names, and any API keys or tokens configured in the plugin.

Impact Analysis

This vulnerability can allow unauthenticated attackers to retrieve detailed and sensitive system information from your WordPress site. Exposure of such information can aid attackers in crafting targeted attacks, exploiting other vulnerabilities, or gaining unauthorized access.

  • Disclosure of PHP version and loaded extensions could reveal exploitable software versions.
  • Exposure of web server version and document root path can help attackers understand the server environment.
  • Revealing database server type, version, and table names can facilitate database attacks.
  • Listing all active plugins and their versions may expose known plugin vulnerabilities.
  • Exposure of API keys and tokens can lead to unauthorized use of integrated services.
Detection Guidance

This vulnerability can be detected by checking if the REST API endpoint /wp-json/gravitysmtp/v1/tests/mock-data is accessible without authentication and returns a large JSON response containing detailed system information.

A simple way to test this is to send an HTTP GET request to the endpoint with the query parameter ?page=gravitysmtp-settings appended and observe if sensitive system data is returned.

Example command using curl to detect the vulnerability:

  • curl -s -k https://your-wordpress-site.com/wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings

If the response contains a large JSON payload (~365 KB) with system configuration details such as PHP version, WordPress version, active plugins, and API keys, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to update the Gravity SMTP plugin to version 2.1.5 or later, as this version includes security enhancements that address this vulnerability.

If updating immediately is not possible, restrict access to the vulnerable REST API endpoint by implementing firewall rules or web server configurations to block unauthenticated access to /wp-json/gravitysmtp/v1/tests/mock-data.

Additionally, review and remove any sensitive API keys or tokens stored in the plugin configuration until the update is applied.

Compliance Impact

The vulnerability allows unauthenticated attackers to access detailed system configuration data, including API keys and tokens, which constitutes sensitive information exposure.

Such exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

By allowing unrestricted access to internal system and configuration details, this vulnerability undermines the confidentiality and security controls mandated by these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4020. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart