A medium-severity vulnerability in the Gravity SMTP WordPress plugin (CVE-2026-4020) is being actively exploited by attackers before many site owners have applied the patch. The flaw allows unauthenticated attackers to extract sensitive configuration data, API keys, OAuth tokens, and secrets without any login credentials. With roughly 100,000 installations affected, the potential for credential theft and downstream service compromise is significant.

Security Architect’s Take: If Gravity SMTP is deployed across any WordPress instances in your environment — including headless or API-driven setups — verify the plugin is patched immediately and rotate all exposed credentials, API keys, and OAuth tokens as a precaution, since active exploitation means some keys may already be compromised.

Original advisory: Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys