Cyber Resilience

CVE-2026-4020

High

Published: 31 March 2026

Published
31 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.1338 94.3th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4020 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Deeper analysis

The Gravity SMTP plugin for WordPress is vulnerable to sensitive information exposure in all versions through 2.1.4. The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback unconditionally returns true, combined with register_connector_data() logic that populates and returns the full system report when the page=gravitysmtp-settings query parameter is supplied.

Any unauthenticated remote attacker can invoke the endpoint and retrieve roughly 365 KB of JSON containing the complete System Report. The exposed data includes PHP and web-server versions, loaded extensions, document root, database details, WordPress version, every active plugin and theme with versions, configuration constants, table names, and any API keys or tokens stored by the plugin.

The referenced changelog and source files indicate that the issue was addressed in a subsequent release; site operators should update to the newest version of the plugin. The EPSS score has remained essentially flat near 0.13 with no material post-disclosure rise.

EU & UK References

Vulnerability details

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any…

more

unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability provides unauthenticated remote access to detailed system configuration report (versions, plugins, paths, DB details) and API keys/tokens via public REST endpoint, directly enabling T1190 exploitation of public-facing app, T1082 system information discovery, and T1552 unsecured credentials exposure.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-26477Shared CWE-200
CVE-2026-32596Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2026-32609Shared CWE-200
CVE-2025-62188Shared CWE-200
CVE-2026-25146Shared CWE-200
CVE-2025-55190Shared CWE-200
CVE-2025-68438Shared CWE-200
CVE-2024-56902Shared CWE-200

Affected Assets

PHP
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 requires identification, authorization, and minimization of actions permitted without authentication, directly mitigating the unconditional permission_callback on the /wp-json/gravitysmtp/v1/tests/mock-data endpoint.

prevent

SC-14 mandates protections for information accessible via public interfaces, addressing the unauthenticated exposure of sensitive system data through the WordPress REST API endpoint.

prevent

SI-15 enforces information output filtering to prevent sensitive system configuration details, such as API keys and database information, from being included in the JSON response.

References