On March 30th, 2026, we publicly disclosed a Sensitive Information Exposure vulnerability in Gravity SMTP, a WordPress plugin with an estimated 100,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to retrieve detailed system configuration data and, critically, any API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The vendor released the fully patched version on March 17th, 2026, and we originally disclosed this vulnerability in the Wordfence Intelligence vulnerability database on March 30th, 2026. The Wordfence Firewall has already blocked over 17 million exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 5, 2026. Sites using the free version of Wordfence received the same protection 30 days later on June 4, 2026. Unlike most vulnerabilities, the firewall rule protecting against this issue was not added as part of our standard vulnerability disclosure process, because the initial assessment of the vulnerability severity was under the threshold to create a firewall rule to protect against attacks. However, we continuously monitor for attacks and new threats, so when we received reports of active exploitation, we implemented a rule to protect against these attacks immediately.
Considering this vulnerability is being actively exploited, we urge users to ensure their sites are updated with the latest patched version of Gravity SMTP, version 2.1.5 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Vulnerability Details
Gravity SMTP relies on a shared library, also used across other Gravity Forms products, that provides a configuration collection system. This system gathers the data that the plugin needs to pass to its JavaScript code via wp_localize_script(), organized so that each piece of its configuration is only loaded on the page or script where it is actually needed.
As part of this library, the plugin registers a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true. Because the permission callback never performs any authentication or capability check, the endpoint is accessible to any unauthenticated visitor:
register_rest_route( $this->rest_namespace, '/tests/mock-data', array(
'methods' => 'GET',
'callback' => array( $self, 'config_mocks_endpoint' ),
'permission_callback' => function () {
return true;
},
) );
The endpoint’s callback, the config_mocks_endpoint() function in the Config_Collection_Service_Provider class, defines the GFORMS_DOING_MOCK constant and then collects and returns the config data:
public function config_mocks_endpoint() {
define( 'GFORMS_DOING_MOCK', true );
$data = $this->container->get( self::CONFIG_COLLECTION )->handle( false );
return $data;
}
When the request includes the ?page=gravitysmtp-settings query parameter, the plugin populates the connector data used to build its settings screen, so that data is present among the configs at the time the mock dump runs. As a result, the endpoint returns a JSON object containing the plugin’s full System Report.
This System Report includes a wide range of sensitive information about the site, such as the PHP version and loaded extensions, the web server version and document root path, the database server type and version, the WordPress version and configuration details, the list of all active plugins and their versions, the active theme, and the database table names. Most critically, the report also includes the API keys, secrets, and OAuth tokens configured for the plugin’s email delivery integrations, including services such as Amazon SES, Google, Mailjet, Resend, and Zoho.
This makes it possible for unauthenticated attackers to harvest credentials that could be used to send email on behalf of the site, as well as to gather detailed reconnaissance about the site’s software stack that can be leveraged to identify and target other vulnerabilities.
As with all sensitive information exposure vulnerabilities, the impact depends on what data is exposed. In this case, the exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site.
A Closer Look at the Attack Data
The following data highlights actual exploit attempts from threat actors targeting this vulnerability. Exploitation is trivial, requiring only a single unauthenticated GET request to the vulnerable REST API endpoint.
Example attack request
GET /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
In the request above, the attacker sends an unauthenticated GET request to the /wp-json/gravitysmtp/v1/tests/mock-data REST API endpoint with the required ?page=gravitysmtp-settings query parameter. When the targeted site is running a vulnerable version of Gravity SMTP, the server responds with the full System Report JSON, including any configured email integration credentials, with no authentication required.
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious REST API action and blocks the request if it does not come from an existing authorized administrator.
Total Number of Exploits Blocked
The Wordfence Firewall has blocked over 17 million exploit attempts targeting this vulnerability.
According to our data, exploitation ramped up dramatically in early June, with the single largest spike occurring on June 7th, 2026, when over 4 million exploit attempts were blocked in a single day. We continued to detect and block a sustained, extremely high volume of exploit attempts from June 7th through June 11th, 2026, during which several million attempts were blocked each day.
Top Offending IP Addresses
The following IP Addresses are currently the most actively engaged IP addresses targeting the Gravity SMTP mock-data REST API endpoint:
- 45.148.10.95
- Over 642,000 blocked requests.
- 193.32.162.60
- Over 586,000 blocked requests.
- 176.65.148.139
- Over 539,000 blocked requests.
- 173.199.90.188
- Over 460,000 blocked requests.
- 45.148.10.120
- Over 410,000 blocked requests.
- 185.8.107.155
- Over 404,000 blocked requests.
- 185.8.106.37
- Over 399,000 blocked requests.
- 185.8.106.92
- Over 394,000 blocked requests.
- 185.8.106.145
- Over 387,000 blocked requests.
- 176.65.148.30
- Over 384,000 blocked requests.
Indicators of Compromise
Because this vulnerability exposes sensitive data via a simple GET request rather than modifying the site, exploitation may not leave obvious traces. It is recommended to review your web server access logs for any requests to the /wp-json/gravitysmtp/v1/tests/mock-data endpoint, particularly those including the ?page=gravitysmtp-settings query parameter.
If you are running a vulnerable version of Gravity SMTP and have configured any third-party email integrations (such as Amazon SES, Google, Mailjet, Resend, or Zoho), you should assume the associated API keys, secrets, and OAuth tokens may have been exposed. We strongly recommend rotating these credentials after updating the plugin.
We also recommend reviewing log files for any requests originating from the following IP addresses:
- 45.148.10.95
- 193.32.162.60
- 176.65.148.139
- 173.199.90.188
- 45.148.10.120
- 185.8.107.155
- 185.8.106.37
- 185.8.106.92
- 185.8.106.145
- 176.65.148.30
Conclusion
In today’s article, we covered the attack data for a Sensitive Information Exposure vulnerability in the Gravity SMTP plugin that allows unauthenticated threat actors to retrieve a detailed system report, including configured email integration credentials, via a single REST API request. Our threat intelligence indicates that attackers have been targeting this vulnerability at a massive scale, with the heaviest exploitation occurring between June 7th and June 11th, 2026. The Wordfence firewall has already blocked over 17 million exploit attempts targeting this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 5, 2026. Sites using the free version of Wordfence received the same protection 30 days later on June 4, 2026.
Even if you have already received a firewall rule for this issue we urge you to ensure that your site is updated to at least version 2.1.5 in order to maintain normal functionality, and to rotate any email integration credentials that may have been exposed. If you have friends or colleagues using Gravity SMTP, be sure to forward this advisory to them, as sites could still be unprotected and unpatched.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.
The post Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin appeared first on Wordfence.