CVE-2026-4020 is an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin (all versions through 2.1.4) that exposes a 365 KB system report — including PHP configuration, database details, active plugin inventory, and API keys — to any anonymous visitor via a REST API endpoint with an unconditional permission callback. CISA has confirmed active exploitation in the wild. Organizations should immediately block external access to /wp-json/gravitysmtp/v1/tests/mock-data at the WAF or web server layer, update to the patched version (verify specific version from the WordPress plugin repository), and treat all API keys and email service provider credentials configured within the plugin as compromised requiring immediate rotation.