Skip to main content

PHP CVE-2026-4020

| EUVD-2026-17277 HIGH
Information Exposure (CWE-200)
2026-03-31 Wordfence
WordPress PHP Information Disclosure
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
EUVD ID Assigned
Mar 31, 2026 - 01:45 euvd
EUVD-2026-17277
Analysis Generated
Mar 31, 2026 - 01:45 vuln.today
CVE Published
Mar 31, 2026 - 01:24 nvd
HIGH 7.5

DescriptionCVE.org

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.

AnalysisAI

Sensitive system configuration data exposure in Gravity SMTP for WordPress (all versions ≤2.1.4) allows unauthenticated remote attackers to retrieve comprehensive server information via an unsecured REST API endpoint. The /wp-json/gravitysmtp/v1/tests/mock-data endpoint lacks authentication controls, exposing ~365 KB of JSON containing PHP version, database credentials structure, WordPress configuration, plugin/theme inventories, and configured API keys/tokens. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send unauthenticated HTTP request to REST API endpoint
Exploit
Append gravitysmtp-settings query parameter
Execution
Trigger register_connector_data() method
Impact
Retrieve 365 KB System Report JSON containing sensitive data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires Gravity SMTP plugin for WordPress versions up to 2.1.4 installed and activated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is HIGH despite the vulnerability requiring no exploitation sophistication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uses automated scanners to identify WordPress sites running the Gravity SMTP plugin by probing /wp-json/gravitysmtp/v1/tests/mock-data?page=gravitysmtp-settings across thousands of targets. Upon successful response, the attacker receives a 365 KB JSON payload containing the victim's PHP configuration, MySQL database version, complete plugin inventory, and SMTP API credentials for services like SendGrid or Mailgun. …
Remediation Update Gravity SMTP to the latest patched version immediately by accessing WordPress admin dashboard → Plugins → Installed Plugins, locating Gravity SMTP, and clicking Update. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all WordPress instances running Gravity SMTP and confirm installed version via /wp-json/gravitysmtp/v1/package endpoint or plugin settings. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-4020 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy