A security flaw in the Gravity SMTP plugin for WordPress is under active exploitation. Cybercriminals are abusing the bug, prompting urgent warnings for site owners to update immediately. The email delivery plugin runs on around 100,000 websites worldwide.
Security researchers say attackers have launched millions of exploit attempts against the weakness. The flaw can expose sensitive information stored within affected sites. It is tracked as CVE-2026-4020 and affects all plugin versions through 2.1.4.
The bug lets unauthenticated users reach a publicly exposed endpoint and retrieve system data. According to security firm Wordfence, attackers can pull details about a site’s server configuration. The exposed data may also include live API keys and OAuth tokens for connected email services.
The vulnerability exists because the endpoint allows any unauthorized visitor to access it. A specially crafted request triggers the site to generate a detailed system report. That report contains technical information about the website and its environment. It can also reveal credentials for services like Amazon SES, Google, Mailjet, Resend, and Zoho.
As with all sensitive exposure flaws, the impact depends on what data leaks. Wordfence said disclosure of third-party credentials raises the risk of misuse. Stolen keys let attackers send email from the victim’s legitimate domain. The system report also makes planning follow-up attacks far easier.
A security update addressing the flaw arrived in version 2.1.5. Researchers said exploitation began in early May and surged in June. Wordfence blocked more than 17 million exploit attempts overall. Requests peaked at over 4 million in a single day on June 7.
Administrators should update the plugin immediately and rotate any connected email credentials. They should also review server logs for suspicious activity. Experts warn that any credentials used before the fix should be treated as already compromised.
