Is PHP affected by CVE-2026-4020?

Gravity SMTP for WordPress versions 2.1.4 and below expose sensitive server configuration data-including database credentials, API keys, and plugin inventories-through an unauthenticated REST API endpoint accessible to any remote attacker.

CVE-2026-4020

EUVD-2026-17277 HIGH

2026-03-31 Wordfence

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 31, 2026 - 01:45 vuln.today

EUVD ID Assigned

Mar 31, 2026 - 01:45 euvd

EUVD-2026-17277

CVE Published

Mar 31, 2026 - 01:24 nvd

HIGH 7.5

Description

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.

Analysis

Sensitive system configuration data exposure in Gravity SMTP for WordPress (all versions ≤2.1.4) allows unauthenticated remote attackers to retrieve comprehensive server information via an unsecured REST API endpoint. The /wp-json/gravitysmtp/v1/tests/mock-data endpoint lacks authentication controls, exposing ~365 KB of JSON containing PHP version, database credentials structure, WordPress configuration, plugin/theme inventories, and configured API keys/tokens. …

Remediation

Within 24 hours: Identify all WordPress instances running Gravity SMTP and confirm installed version via /wp-json/gravitysmtp/v1/package endpoint or plugin settings. Within 7 days: disable or restrict the /wp-json/gravitysmtp/v1/tests/mock-data endpoint via .htaccess, nginx configuration, or WAF rules blocking REST API calls to /wp-json/gravitysmtp/v1/tests/*. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-4020 vulnerability details – vuln.today

Back

CVE-2026-4020

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-4020

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code