Hackers Exploit Gravity SMTP WordPress Plugin Vulnerability

What happened

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is installed on more than 100,000 WordPress sites.  

The vulnerability, tracked as CVE-2026-4020, affects Gravity SMTP versions 2.1.4 and earlier. It stems from an improperly protected REST API endpoint that allows unauthenticated attackers to retrieve sensitive system information without logging in.  

According to Wordfence, the flaw can expose detailed system configuration information along with email service API keys, OAuth tokens, and other secrets configured within the plugin. Wordfence said it has blocked more than 17 million exploit attempts targeting the vulnerability.  

RocketGenius released Gravity SMTP version 2.1.5 to address the vulnerability before public disclosure. However, attackers have continued scanning for and exploiting unpatched installations.  

Although the flaw does not directly allow remote code execution, the exposed information can help attackers conduct follow-on attacks by revealing credentials, installed plugins, WordPress configuration details, and other environmental information.  

Who is affected

Organizations and website owners running Gravity SMTP version 2.1.4 or earlier are affected.

The plugin is active on more than 100,000 WordPress sites, making it an attractive target for automated internet-wide scanning.  

Websites that use Gravity SMTP to connect to third-party email providers may face additional risk because exposed API keys, OAuth tokens, or SMTP credentials could allow attackers to impersonate legitimate email services or compromise outbound email infrastructure.  

Why CISOs should care

This vulnerability demonstrates how information disclosure flaws can become the first stage of a larger attack. While CVE-2026-4020 does not directly provide code execution, it can reveal credentials, API keys, system configuration, installed plugins, and other intelligence that attackers can use to plan subsequent compromises.  

The active exploitation also underscores the speed with which attackers weaponize newly disclosed WordPress vulnerabilities. Wordfence reported more than 17 million blocked exploitation attempts, indicating widespread automated scanning for vulnerable sites.  

For CISOs managing public-facing websites, WordPress plugins should be treated as part of the organization’s external attack surface. Plugins that integrate with cloud services, email providers, or authentication systems often store secrets that become valuable targets even when the vulnerability itself is limited to information disclosure.

3 practical actions

1. Upgrade Gravity SMTP immediately: Organizations should update to Gravity SMTP version 2.1.5 or later to eliminate the vulnerable REST API endpoint. Any internet-facing WordPress site using earlier versions should be prioritized for remediation.  
2. Rotate exposed API keys and email credentials: Because the vulnerability may expose SMTP credentials, API keys, OAuth tokens, and other secrets, organizations should rotate all credentials associated with Gravity SMTP after patching if compromise is suspected.  
3. Review WordPress logs for reconnaissance activity: Security teams should examine web server, application, and WordPress logs for requests targeting the vulnerable REST API endpoint and investigate any signs that sensitive configuration information was accessed before remediation.  

John Kevin Hao

+ postsBio ⮌

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

• John Kevin Hao

  New Prinz Eugen Ransomware Prioritizes Recent Files for Encryption
• John Kevin Hao

  Klue OAuth Breach Victim List Grows as Icarus Claims Responsibility
• John Kevin Hao

  Texas Government Data Breach Exposes Over 3 Million Driver’s Licenses
• John Kevin Hao

  Warner Warns CISA Cuts Could Weaken Support for State and Local Cybersecurity