CVE Tools
Back to feed
The Hacker News ·EN News source Exploited in the wildGravity SMTP

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

By The Hacker News··2 min read
CVE Tools coverage

Threat actors are actively exploiting a patched vulnerability in the WordPress plugin Gravity SMTP (installed on roughly 100,000 sites) to expose sensitive information. The issue, tracked as CVE-2026-4020 (CVSS 5.3), is an unauthenticated information disclosure flaw that can leak configuration details, secrets, and third-party email integration API keys/tokens via a REST endpoint. This matters because exposed credentials can be reused to send email through connected services, and attackers can also gather detailed system information to support follow-on attacks; the vendor fix is available in Gravity SMTP version 2.1.5.