Cyber Posture

CVE-2026-4020

High

Published: 31 March 2026

Published
31 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0602 90.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4020 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 requires identification, authorization, and minimization of actions permitted without authentication, directly mitigating the unconditional permission_callback on the /wp-json/gravitysmtp/v1/tests/mock-data endpoint.

SC-14 Public Access Protections good match
prevent

SC-14 mandates protections for information accessible via public interfaces, addressing the unauthenticated exposure of sensitive system data through the WordPress REST API endpoint.

SI-15 Information Output Filtering good match
prevent

SI-15 enforces information output filtering to prevent sensitive system configuration details, such as API keys and database information, from being included in the JSON response.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability provides unauthenticated remote access to detailed system configuration report (versions, plugins, paths, DB details) and API keys/tokens via public REST endpoint, directly enabling T1190 exploitation of public-facing app, T1082 system information discovery, and T1552 unsecured credentials exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any…

more

unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.

Deeper analysisAI

CVE-2026-4020 is a sensitive information exposure vulnerability (CWE-200) affecting the Gravity SMTP plugin for WordPress in all versions up to and including 2.1.4. The issue stems from a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data that has a permission_callback which unconditionally returns true, enabling unauthenticated access. Appending the ?page=gravitysmtp-settings query parameter triggers the plugin's register_connector_data() method to populate internal connector data, resulting in the endpoint returning approximately 365 KB of JSON data comprising the full System Report.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity, no privileges, no user interaction, and unchanged scope, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Successful exploitation allows retrieval of detailed system configuration information, including PHP version and loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys or tokens configured in the plugin.

References provided in advisories include the Gravity SMTP changelog at https://docs.gravitysmtp.com/gravity-smtp-changelog/ for patch information and code browser links to the vulnerable tag 2.1.4 and trunk versions of vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php at lines 86 and 103, indicating fixes in subsequent releases beyond 2.1.4.

Details

CWE(s)
CWE-200

Affected Products

PHP
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-32596Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2026-25146Shared CWE-200
CVE-2024-56902Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2025-55190Shared CWE-200
CVE-2025-68438Shared CWE-200
CVE-2026-32609Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2026-26069Shared CWE-200

References