BleepingComputer ·EN-US News source Exploited in the wildGravity SMTP
Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
CVE Tools coverage
Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, impacting deployments on an estimated 100,000 sites. The issue is tracked as CVE-2026-4020 and affects all versions from 2.1.4 and earlier; it was addressed in version 2.1.5 (released March 17). By accessing an exposed REST API endpoint, attackers can retrieve a detailed JSON “System Report” that may include API keys, email service credentials for providers like Amazon SES, Google, Mailjet, Resend, and Zoho, and environment/configuration details—enabling account and credential abuse and helping plan further attacks.