Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

Attackers actively exploit an unauthenticated information disclosure flaw in Gravity SMTP, a WordPress plugin installed on approximately 100,000 websites. The vulnerability allows threat actors to extract sensitive configuration data without requiring valid credentials or plugin authentication.

The Gravity SMTP plugin, developed for email delivery management within WordPress installations, contains insufficient access controls on certain administrative functions. Attackers leverage this gap to retrieve API keys, SMTP credentials, and server configuration details directly from affected sites. These credentials enable further compromise, including unauthorized email sending, account takeover, and lateral movement into connected systems.

The exploitation targets the plugin's core functionality. Hackers send unauthenticated requests to exposed endpoints, bypassing authentication mechanisms entirely. Success rates remain high because many WordPress site operators delay plugin updates or operate unpatched installations.

For affected organizations, the risks extend beyond email systems. Exposed SMTP credentials often reuse passwords across infrastructure. Stolen API keys grant attackers access to email service providers, allowing them to impersonate legitimate communications and potentially launch phishing campaigns against clients or employees. Compromised server configurations expose additional attack surface.

WordPress site administrators should immediately update Gravity SMTP to the patched version released by the developer. Security teams should audit SMTP credential usage across their infrastructure and rotate any exposed keys and passwords. Website owners should review email logs for suspicious activity and monitor for unauthorized configuration changes.

The 100,000 affected sites represent a substantial attack surface. Information disclosure bugs frequently precede secondary attacks. Threat actors collect credentials passively then weaponize them months later, making rapid patching essential.

No CVE assignment was listed in initial reporting, though the vulnerability's active exploitation warrants urgent attention regardless of official designation. Organizations running Gravity SMTP should treat this as a critical priority until verification that patches have deployed successfully.