Recent reports indicate that threat actors are actively exploiting a vulnerability identified in the Gravity SMTP WordPress plugin, affecting approximately 100,000 sites. This medium-severity flaw, tracked as CVE-2026-4020, allows unauthenticated attackers to access sensitive configuration data, including API keys, secrets, and OAuth tokens. Although the vulnerability has been patched, the exploit underscores a significant risk for businesses relying on this widely used plugin.
For organizations utilizing Gravity SMTP, the implications are severe. The exposure of API keys and other confidential information can lead to unauthorized access and data breaches, necessitating immediate action to secure their WordPress sites. Businesses must prioritize timely updates to plugins and implement robust security measures to mitigate the risk of similar vulnerabilities. This incident highlights the ongoing challenge of plugin security within the WordPress ecosystem and serves as a reminder of the importance of proactive cybersecurity practices in safeguarding sensitive data and maintaining operational integrity.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html)*