Lucene search
K

23 matches found

Nuclei
Nuclei
added yesterday28 views

Gravity SMTP WordPress Plugin - Sensitive Information Exposure

Gravity SMTP WordPress plugin = 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication. id:...

7.5CVSS6.1AI score0.39704EPSS
Exploits2References3
The Hacker News
The Hacker News
added 2026/06/20 9:56 a.m.15 views

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 CVSS score: 5.3, is a medium-severity information disclosure flaw that can allow unauthenticated attackers ...

7.5CVSS5.9AI score0.39704EPSS
Exploits2
RedhatCVE
RedhatCVE
added 2026/04/13 7:23 p.m.2 views

CVE-2026-4162

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/04/13 10:29 a.m.5 views

WordPress Gravity SMTP plugin <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Uninstall vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Gravity SMTP versions = 2.1.4...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/04/10 12:31 p.m.3 views

EUVD-2026-21356

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References3
NVD
NVD
added 2026/04/10 10:16 a.m.3 views

CVE-2026-4162

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

7.1CVSS0.00251EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/10 9:25 a.m.1 views

CVE-2026-4162 Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/10 9:25 a.m.2 views

CVE-2026-4162

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/10 9:25 a.m.30 views

CVE-2026-4162 Gravity SMTP <= 2.1.4 - Missing Authorization to Authenticated (Subscriber+) Plugin Uninstall

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access a...

7.1CVSS0.00251EPSS
Exploits0References2
CVE
CVE
added 2026/04/10 9:25 a.m.12 views

CVE-2026-4162

CVE-2026-4162 affects the Gravity SMTP WordPress plugin up to and including version 2.1.4 . The issue is Missing Authorization where an authenticated user with subscriber-level access (or higher) can uninstall and deactivate the plugin and delete plugin options. The vulnerability can also be expl...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.8 views

WordPress plugin Gravity SMTP 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

7.1CVSS5.8AI score0.00251EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.4 views

PT-2026-31907

Name of the Vulnerable Software and Affected Versions Gravity SMTP plugin for WordPress versions up to and including 2.1.4 Description The Gravity SMTP plugin for WordPress does not properly verify user authorization, allowing authenticated attackers with subscriber-level access or higher to...

7.1CVSS5.7AI score0.00251EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/04/01 5:0 a.m.4 views

CVE-2026-4020

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS5.9AI score0.39704EPSS
Exploits2References1
Patchstack
Patchstack
added 2026/03/31 7:2 a.m.8 views

WordPress Gravity SMTP plugin <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API vulnerability

Unauthenticated Sensitive Information Exposure via REST API vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Gravity SMTP versions = 2.1.4...

7.5CVSS5.9AI score0.39704EPSS
Exploits2References1Affected Software1
EUVD
EUVD
added 2026/03/31 3:31 a.m.4 views

EUVD-2026-17277

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS5.9AI score0.39704EPSS
Exploits2References8
NVD
NVD
added 2026/03/31 2:15 a.m.17 views

CVE-2026-4020

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS0.39704EPSS
Exploits2References7
Vulnrichment
Vulnrichment
added 2026/03/31 1:24 a.m.4 views

CVE-2026-4020 Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS5.9AI score0.39704EPSS
Exploits2References7
ATTACKERKB
ATTACKERKB
added 2026/03/31 1:24 a.m.2 views

CVE-2026-4020

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS5.9AI score0.39704EPSS
Exploits2References8
CVE
CVE
added 2026/03/31 1:24 a.m.83 views

CVE-2026-4020

Gravity SMTP for WordPress versions up to 2.1.4 exposes a REST endpoint at /wp-json/gravitysmtp/v1/tests/mock-data whose permission_callback always returns true, allowing unauthenticated access. When the ?page=gravitysmtp-settings parameter is used, register_connector_data() populates internal da...

7.5CVSS5.9AI score0.39704EPSS
In wildExploits2References7
Cvelist
Cvelist
added 2026/03/31 1:24 a.m.134 views

CVE-2026-4020 Gravity SMTP <= 2.1.4 - Unauthenticated Sensitive Information Exposure via REST API

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

7.5CVSS0.39704EPSS
Exploits2References7
Rows per page
Query Builder