The Vulnerability
CVE-2026-4020 is an unauthenticated information disclosure vulnerability in Gravity SMTP, a WordPress plugin that routes outbound email through third-party services including Amazon SES, Google Workspace, Mailjet, and Zoho. The plugin's REST API endpoint returned stored API keys and SMTP credentials without requiring authentication. Any unauthenticated request to the endpoint yielded the site's email service credentials in plaintext.
The vulnerability affected approximately 100,000 active WordPress installations. Between late May and mid-June 2026, Wordfence recorded over 17 million exploit attempts targeting the endpoint, with traffic peaking at 4 million requests per day around June 6. The pattern suggests automated scanning at scale — attackers harvesting credentials from every discoverable installation before patches propagated.
What Was Stolen
The stolen credentials are not website passwords. They are email infrastructure keys — API tokens for Amazon SES, Google Workspace SMTP, Mailjet, and Zoho Mail. These services are transactional email providers that organizations use to send order confirmations, password resets, invoices, and customer communications. The API keys grant the ability to send email as the affected domain.
For an attacker, a stolen Amazon SES API key is a phishing weapon. It allows sending email that passes SPF, DKIM, and DMARC checks — the authentication trifecta that email security products use to distinguish legitimate senders from spoofed ones. Phishing emails sent through a compromised SES key arrive in the inbox, not the spam folder. They carry the domain reputation of a legitimate business. The recipient's email client displays no warnings because, technically, the email is authentic.
The downstream effects compound. Amazon SES enforces sending reputation scores. Bulk phishing through a stolen key degrades the legitimate domain's reputation, causing the organization's own transactional emails — password resets, invoices, shipping notifications — to start landing in spam. The business discovers the breach not through security monitoring but through customer complaints that emails are missing.
The Plugin Monoculture Problem
Gravity SMTP is one plugin among over 60,000 in the WordPress ecosystem. It is not unusually large or unusually complex. It is a connector — it takes email from WordPress and routes it to an external service. The vulnerability was a missing authentication check on a single API endpoint. The fix was a one-line change. But between the vulnerability's discovery and widespread patching, attackers mounted 17 million attempts to harvest credentials from 100,000 installations.
This pattern is the structural reality of the WordPress plugin ecosystem. WordPress core has its own CVE history — 18,321 cumulative vulnerabilities in WebPulse's NVD data — but the plugin layer multiplies the attack surface geometrically. Each plugin is an independent codebase, maintained by an independent team, with its own security review process (or lack thereof). A site running 20 plugins inherits 20 independent attack surfaces. The WordPress architecture requires this: core functionality is deliberately thin, with plugins providing everything from email routing to e-commerce to caching.
Scale Creates Asymmetry
The 17 million exploit attempts reveal the economics of WordPress vulnerability exploitation. The attacker's cost is near zero — a scanner, a list of WordPress sites (readily available from services like BuiltWith or Wappalyzer), and a single HTTP request per target. The defender's cost is ongoing: monitoring, patching, credential rotation, and incident response. When 100,000 sites share the same vulnerable code, one CVE generates 100,000 opportunities. Automated scanners can attempt every installation within days.
This asymmetry is not a bug in the WordPress security model. It is the WordPress security model. The plugin architecture distributes identical code across thousands of independently managed installations. A vulnerability disclosed on Tuesday is being exploited at scale by Wednesday. The patch may exist, but the 100,000 site owners need to discover the update, test it against their configuration, and deploy it — a process that can take weeks on sites without dedicated technical staff. The gap between disclosure and deployment is where the 17 million attempts live.
The Business Arithmetic
The cost of a compromised email API key is not the cost of rotating the credential. It is the cost of domain reputation recovery, phishing incident response for downstream victims, potential regulatory notification obligations under GDPR or state breach laws, and the loss of transactional email deliverability during the recovery period. For an e-commerce operation, a week of degraded email deliverability — order confirmations bouncing, password resets failing — translates directly to revenue loss and support volume.
Organizations using modern frameworks with server-side email integration — FastAPI with direct SES SDK calls, Next.js API routes with authenticated middleware, Astro with server-side email functions — do not expose email credentials through client-facing plugin APIs. The credentials live in environment variables, accessed server-side, never serialized to REST endpoints. The architectural difference is not a feature comparison. It is a structural elimination of the attack vector that generated 17 million exploit attempts in three weeks.
