CVE-2026-4020 (GCVE-0-2026-4020)

Vulnerability from cvelistv5 – Published: 2026-03-31 01:24 – Updated: 2026-04-02 14:14
VLAI?
Title
Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API
Summary
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
Vendor Product Version
RocketGenius Gravity SMTP Affected: * , ≤ 2.1.4 (semver)
Create a notification for this product.
Credits
Osvaldo Noe Gonzalez Del Rio
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-4020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-02T14:14:15.535134Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-02T14:14:20.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Gravity SMTP",
          "vendor": "RocketGenius",
          "versions": [
            {
              "lessThanOrEqual": "2.1.4",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Osvaldo Noe Gonzalez Del Rio"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin\u0027s register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T01:24:57.221Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12a296db-ecc0-409b-8718-0c208504053a?source=cve"
        },
        {
          "url": "https://www.gravityforms.com/gravity-smtp/"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103"
        },
        {
          "url": "https://docs.gravitysmtp.com/gravity-smtp-changelog/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-03-17T17:39:59.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-03-30T12:09:08.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Gravity SMTP \u003c= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-4020",
    "datePublished": "2026-03-31T01:24:57.221Z",
    "dateReserved": "2026-03-11T19:55:54.999Z",
    "dateUpdated": "2026-04-02T14:14:20.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-4020\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-03-31T02:15:59.487\",\"lastModified\":\"2026-04-01T14:24:02.583\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin\u0027s register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.\"},{\"lang\":\"es\",\"value\":\"El plugin Gravity SMTP para WordPress es vulnerable a la Exposici\u00f3n de Informaci\u00f3n Sensible en todas las versiones hasta la 2.1.4, inclusive. Esto se debe a un endpoint de la API REST registrado en /wp-json/gravitysmtp/v1/tests/mock-data con un callback de permisos que devuelve true incondicionalmente, permitiendo que cualquier visitante no autenticado acceda a \u00e9l. Cuando se a\u00f1ade el par\u00e1metro de consulta ?page=gravitysmtp-settings, el m\u00e9todo register_connector_data() del plugin rellena los datos internos del conector, haciendo que el endpoint devuelva aproximadamente 365 KB de JSON que contiene el Informe Completo del Sistema. Esto hace posible que atacantes no autenticados recuperen datos detallados de configuraci\u00f3n del sistema, incluyendo la versi\u00f3n de PHP, extensiones cargadas, versi\u00f3n del servidor web, ruta de la ra\u00edz del documento, tipo y versi\u00f3n del servidor de base de datos, versi\u00f3n de WordPress, todos los plugins activos con sus versiones, tema activo, detalles de configuraci\u00f3n de WordPress, nombres de las tablas de la base de datos, y cualquier clave/token de API configurado en el plugin.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://docs.gravitysmtp.com/gravity-smtp-changelog/\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.gravityforms.com/gravity-smtp/\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/12a296db-ecc0-409b-8718-0c208504053a?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4020\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-02T14:14:15.535134Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-31T15:30:47.296Z\"}}], \"cna\": {\"title\": \"Gravity SMTP \u003c= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Osvaldo Noe Gonzalez Del Rio\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\"}}], \"affected\": [{\"vendor\": \"RocketGenius\", \"product\": \"Gravity SMTP\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.1.4\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-17T17:39:59.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-03-30T12:09:08.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/12a296db-ecc0-409b-8718-0c208504053a?source=cve\"}, {\"url\": \"https://www.gravityforms.com/gravity-smtp/\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103\"}, {\"url\": \"https://docs.gravitysmtp.com/gravity-smtp-changelog/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin\u0027s register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-03-31T01:24:57.221Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-4020\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-02T14:14:20.908Z\", \"dateReserved\": \"2026-03-11T19:55:54.999Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-31T01:24:57.221Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.