CVE-2026-4020 (CVSS 7.5) affects the Gravity SMTP WordPress plugin through version 2.1.4, exposing approximately 365 KB of sensitive system data including SMTP API keys, database details, PHP configuration, and all active plugin versions via an unauthenticated REST API endpoint, confirmed in CISA KEV with active exploitation. The /wp-json/gravitysmtp/v1/tests/mock-data endpoint uses a permission_callback that unconditionally returns true, bypassing WordPress authentication entirely. Upgrade to Gravity SMTP 2.1.5 immediately, block the endpoint at WAF or reverse proxy if patching cannot be completed within 24 hours, and rotate all SMTP credentials configured in the plugin regardless of confirmed exploitation status.