# [CRIT] Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys **Source:** The Hacker News **Published:** 2026-06-20 **Article:** https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html ## Threat Profile Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys  Ravie Lakshmanan  Jun 20, 2026 Vulnerability / Web Security Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, se… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-4020` - **IPv4 (defanged):** `45.148.10.95` - **IPv4 (defanged):** `193.32.162.60` - **IPv4 (defanged):** `176.65.148.139` - **IPv4 (defanged):** `173.199.90.188` - **IPv4 (defanged):** `45.148.10.120` - **IPv4 (defanged):** `185.8.107.155` - **IPv4 (defanged):** `185.8.106.37` - **IPv4 (defanged):** `185.8.106.92` - **IPv4 (defanged):** `185.8.106.145` - **IPv4 (defanged):** `176.65.148.30` ## MITRE ATT&CK Techniques - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1190** — Exploit Public-Facing Application - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1071** — Application Layer Protocol - **T1552** — Unsecured Credentials ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Gravity SMTP CVE-2026-4020 exploit request to unauthenticated mock-data REST endpoint `UC_3_4` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.status) as status values(Web.src) as src values(Web.http_user_agent) as user_agent from datamodel=Web.Web where Web.url="*/wp-json/gravitysmtp/v1/tests/mock-data*" by Web.dest Web.uri_query Web.url | `drop_dm_object_name(Web)` | eval exploit_param=if(match(uri_query,"(?i)gravitysmtp-settings"),"yes","no") | sort - lastTime ``` **Defender KQL:** ```kql let AttackerIPs = dynamic(["45.148.10.95","193.32.162.60","176.65.148.139","173.199.90.188","45.148.10.120","185.8.107.155","185.8.106.37","185.8.106.92","185.8.106.145","176.65.148.30"]); DeviceNetworkEvents | where Timestamp > ago(30d) | where RemoteIP in (AttackerIPs) | project Timestamp, DeviceName, ActionType, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine | sort by Timestamp desc ``` ### Gravity SMTP CVE-2026-4020 successful System Report disclosure (~365 KB response) `UC_3_5` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count values(Web.src) as src values(Web.http_user_agent) as user_agent max(Web.bytes_out) as bytes_out from datamodel=Web.Web where Web.url="*/wp-json/gravitysmtp/v1/tests/mock-data*" Web.status=200 by Web.dest Web.url _time | `drop_dm_object_name(Web)` | where bytes_out > 300000 | sort - bytes_out ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-4020` - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `45.148.10.95`, `193.32.162.60`, `176.65.148.139`, `173.199.90.188`, `45.148.10.120`, `185.8.107.155`, `185.8.106.37`, `185.8.106.92` _(+2 more)_ ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 6 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.