Gravity SMTP Flaw Under Active Exploitation Across WordPress Sites

Security researchers are warning WordPress administrators about active attacks targeting the Gravity SMTP Flaw, a recently patched vulnerability that could expose sensitive credentials and internal system information.

The issue affects the popular Gravity SMTP plugin, which is installed on approximately 100,000 WordPress websites. Attackers are already exploiting the weakness to retrieve API keys, OAuth tokens, email service credentials, and detailed server configuration data without authentication.

As a result, organizations using vulnerable versions of the plugin face an increased risk of account compromise and follow-on attacks.

Vulnerability Exposes Sensitive Configuration Data

The security issue, tracked as CVE-2026-4020, stems from a misconfigured REST API endpoint that fails to properly restrict access. Consequently, any remote user can request information that should remain protected.

By sending a specially crafted request, attackers can trigger the plugin to generate a comprehensive system report. This report may reveal:

• WordPress version information
• Active plugins and themes
• PHP and web server details
• Database configuration data
• Document root paths
• API keys and authentication tokens
• Email service credentials

Researchers noted that exposed credentials may include integrations with popular email platforms such as Amazon SES, Google, Mailjet, Resend, and Zoho.

Attack Activity Intensifies

Threat actors wasted little time exploiting the vulnerability after its discovery. Security monitoring data shows malicious scanning and exploitation attempts began in early May 2026.

However, activity surged significantly during the first week of June. At its peak, attackers generated millions of requests within a single day while attempting to harvest sensitive information from vulnerable websites.

Several IP addresses have been repeatedly linked to exploitation attempts, indicating a coordinated effort to identify and compromise exposed systems.

Why the Gravity SMTP Flaw Matters

While the vulnerability carries a medium severity score, its real-world impact can be substantial. Exposed API keys can allow attackers to abuse legitimate email services, send fraudulent messages, or conduct phishing campaigns from trusted domains.

Additionally, detailed system reports provide valuable reconnaissance data. Therefore, attackers can use the information to identify outdated software, vulnerable plugins, and potential attack paths for deeper compromise.

Security experts warn that information disclosure flaws often become stepping stones for more damaging intrusions.

Recommended Actions for Site Owners

Organizations running Gravity SMTP should immediately update to version 2.1.5 or later.

Security teams should also:

• Rotate all exposed API keys and OAuth tokens
• Review server logs for suspicious API requests
• Audit third-party email integrations
• Monitor for unauthorized email activity
• Investigate access attempts from known malicious IP addresses

Conclusion

The Gravity SMTP Flaw highlights how seemingly moderate vulnerabilities can create serious security risks when sensitive credentials are exposed. Because attackers are actively exploiting the bug, WordPress administrators should prioritize patching affected systems and rotating potentially compromised credentials. Taking immediate action can help prevent account abuse, unauthorized email activity, and future attacks against exposed websites.