Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Attackers are exploiting CVE-2026-4020, a medium-severity information disclosure vulnerability in Gravity SMTP, a WordPress plugin deployed across approximately 100,000 websites. The flaw carries a CVSS score of 5.3 and permits unauthenticated threat actors to extract sensitive configuration data, API keys, secrets, and OAuth tokens directly from affected installations.

Gravity SMTP integrates email functionality into WordPress sites, making it a common fixture in content management ecosystems. The vulnerability's unauthenticated nature means attackers require no valid credentials to launch exploitation attempts. They can access the plugin's stored authentication materials without engaging WordPress' permission framework.

API keys and OAuth tokens extracted from compromised installations grant attackers unauthorized access to upstream email services and third-party integrations. This creates downstream risk for organizations relying on those services. Exposed configuration data can reveal internal architecture details that attackers weaponize in follow-up campaigns targeting connected systems.

The plugin's wide deployment footprint amplifies the vulnerability's reach. Each unpatched installation represents an entry point for credential theft. Attackers can perform broad scanning operations to identify vulnerable instances, then systematically harvest credentials from responsive targets.

Organizations running Gravity SMTP must apply the available patch immediately. Site administrators should review access logs for signs of suspicious activity targeting the plugin's endpoints. Any API keys or tokens extracted before patching warrant immediate rotation and revocation. Email service providers should monitor for unauthorized account access patterns originating from compromised infrastructure.

Smaller WordPress site operators often lag in applying security updates due to resource constraints or limited visibility into their plugin inventory. This delay extends the exploitation window for attackers scanning for vulnerable instances. Hosting providers and managed WordPress services bear responsibility for automated patching where site owners lack technical capacity.

The vulnerability underscores the security risks embedded in WordPress plugin ecosystems. Thousands of third