CVE-2026-4020
Published: 31 March 2026
Summary
CVE-2026-4020 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).
Deeper analysis
The Gravity SMTP plugin for WordPress is vulnerable to sensitive information exposure in all versions through 2.1.4. The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback unconditionally returns true, combined with register_connector_data() logic that populates and returns the full system report when the page=gravitysmtp-settings query parameter is supplied.
Any unauthenticated remote attacker can invoke the endpoint and retrieve roughly 365 KB of JSON containing the complete System Report. The exposed data includes PHP and web-server versions, loaded extensions, document root, database details, WordPress version, every active plugin and theme with versions, configuration constants, table names, and any API keys or tokens stored by the plugin.
The referenced changelog and source files indicate that the issue was addressed in a subsequent release; site operators should update to the newest version of the plugin. The EPSS score has remained essentially flat near 0.13 with no material post-disclosure rise.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17277
Vulnerability details
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any…
more
unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability provides unauthenticated remote access to detailed system configuration report (versions, plugins, paths, DB details) and API keys/tokens via public REST endpoint, directly enabling T1190 exploitation of public-facing app, T1082 system information discovery, and T1552 unsecured credentials exposure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-14 requires identification, authorization, and minimization of actions permitted without authentication, directly mitigating the unconditional permission_callback on the /wp-json/gravitysmtp/v1/tests/mock-data endpoint.
SC-14 mandates protections for information accessible via public interfaces, addressing the unauthenticated exposure of sensitive system data through the WordPress REST API endpoint.
SI-15 enforces information output filtering to prevent sensitive system configuration details, such as API keys and database information, from being included in the JSON response.