
Hackers are actively exploiting a flaw in the Gravity SMTP WordPress plugin. The flaw can expose sensitive data from affected websites.
The vulnerability is tracked as CVE-2026-4020. It has a CVSS score of 5.3, which makes it a medium-severity issue.
Still, the impact can be serious. Attackers may access API keys, OAuth tokens, secrets, and website configuration data.
What Is Gravity SMTP?
Gravity SMTP is a WordPress plugin for email delivery. It helps websites send email through third-party services.
These services may include Amazon SES, Google, Mailjet, Resend, and Zoho. Because of this, the plugin can store important credentials.
If these credentials leak, attackers may abuse them. They could send email through services linked to the victim’s website.
How the Flaw Works
The issue comes from an unsafe REST API endpoint. The endpoint can be accessed without login.
As a result, an unauthenticated visitor may pull system data from the website. This data can include a full system report.
The report may show the PHP version, web server version, WordPress version, active plugins, active theme, and database table names.
Worse, it may also expose API keys and email service tokens.
Why This Risk Matters
This flaw may not damage the website directly. However, the leaked data can help attackers plan the next step.
For example, attackers can review plugin versions. Then, they can look for other known flaws.
Also, leaked email API keys can be abused to send fake email. This can hurt the domain’s reputation.
Fake email can also support phishing attacks. So, the damage can spread beyond the website.
Affected Versions
Gravity SMTP version 2.1.4 and earlier are affected.
The patched version is Gravity SMTP 2.1.5. Site owners should update as soon as possible.
After updating, one more step is still needed. Teams should rotate all email API keys, secrets, and OAuth tokens.
Exploitation Is Already Active
Wordfence reported a large number of attacks. It has blocked more than 17 million exploit attempts.
Activity started in early May 2026. Then, attacks increased sharply in early June.
The biggest spike happened on June 7, 2026. On that day, Wordfence recorded more than 4 million blocked attempts.
What Data Can Leak?
Attackers may collect many details about the website. This information can help them understand the target.
Exposed data may include PHP version, PHP extensions, web server version, document root path, database version, WordPress version, active plugins, active theme, WordPress settings, database table names, and email service credentials.
The most dangerous part is active email credentials. API keys and tokens can be abused quickly if they are still valid.
What Site Owners Should Do
First, update Gravity SMTP to the latest version. At minimum, install version 2.1.5.
Next, rotate all API keys and tokens linked to the plugin. Do not rely on the plugin update alone.
Then, review server logs. Look for suspicious requests to the Gravity SMTP mock data endpoint.
Also, check email activity. Watch for unusual sending volume, bounced messages, or spam reports.
Extra Security Steps
Site owners should remove unused credentials. Keep only the email connections that the website really needs.
Also, restrict REST API access where possible. A trusted web application firewall can help reduce risk.
Plugin audits should also happen often. Remove unused plugins. Then, keep all active plugins updated.
Key Takeaway
The Gravity SMTP flaw shows that a medium-severity bug can still be dangerous. This is especially true when the bug exposes live credentials.
For this reason, site owners should update quickly. After that, they should rotate API keys and OAuth tokens.
In the end, WordPress security is not only about patching. Site owners also need log review, plugin control, and strong credential hygiene.
Source: https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html
