CVE-2026-4020 is a missing authentication vulnerability (CWE-306, CWE-200) in the Gravity SMTP WordPress plugin affecting all versions through 2.1.4, allowing any unauthenticated remote attacker to retrieve a full system report including API keys, database details, server configuration, and all installed plugin versions via a single HTTP request. CISA KEV confirms active exploitation, and a patch is available — upgrade to version 2.1.5 or later immediately via the WordPress admin dashboard or WP-CLI. After patching, rotate all API keys and SMTP provider credentials configured within the plugin, and audit web server logs for prior requests to /wp-json/gravitysmtp/v1/tests/mock-data returning HTTP 200 responses.