Skip to content

[GHSA-jxfc-8wcq-xxcg] The Gravity SMTP plugin for WordPress is vulnerable to... #8099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nickpelton wants to merge 1 commit into
base: nickpelton/advisory-improvement-8099
Choose a base branch
from
+27 −15
Open

[GHSA-jxfc-8wcq-xxcg] The Gravity SMTP plugin for WordPress is vulnerable to... #8099

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 27 additions & 15 deletions advisories/unreviewed/2026/03/GHSA-jxfc-8wcq-xxcg/GHSA-jxfc-8wcq-xxcg.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,43 @@
{
"schema_version": "1.4.0",
"id": "GHSA-jxfc-8wcq-xxcg",
"modified": "2026-03-31T03:31:26Z",
"modified": "2026-03-31T03:31:35Z",
"published": "2026-03-31T03:31:26Z",
"aliases": [
"CVE-2026-4020"
],
"summary": "CVE-2026-4020",
"details": "The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"affected": [],
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": ""
},
Comment on lines +19 to +22

@nickpelton nickpelton Jun 23, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a private plugin. There is no public package. I was not given the choice to not choose an ecosystem. It's technically WordPress.

"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.5"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "< 2.1.4"
}
Comment on lines +36 to +38
}
],
"references": [
{
"type": "ADVISORY",
Expand All @@ -25,19 +49,7 @@
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/tags/2.1.4/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L103"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/gravitysmtp/trunk/vendor/gravityforms/gravity-tools/src/Providers/class-config-collection-service-provider.php#L86"
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4020"
},
{
"type": "WEB",
Expand Down