The Hacker News ·EN News source Exploited in the wildGravity SMTP
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
CVE Tools coverage
Threat actors are actively exploiting a patched vulnerability in the WordPress plugin Gravity SMTP (installed on roughly 100,000 sites) to expose sensitive information. The issue, tracked as CVE-2026-4020 (CVSS 5.3), is an unauthenticated information disclosure flaw that can leak configuration details, secrets, and third-party email integration API keys/tokens via a REST endpoint. This matters because exposed credentials can be reused to send email through connected services, and attackers can also gather detailed system information to support follow-on attacks; the vendor fix is available in Gravity SMTP version 2.1.5.