Security researchers report that attackers are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin. The issue affects an estimated 100,000 sites where the plugin is installed. According to the reports, the vulnerability allows anyone to obtain sensitive data—such as API keys, OAuth tokens, and detailed system or configuration information—by making a single HTTP request without authentication. The flaw is described as a medium-severity bug, tracked as CVE-2026-4020, with a CVSS score of 5.3. One outlet notes that Wordfence, a WordPress security firm, has blocked a very large number of attempted exploitations targeting the weakness since malicious activity began. The reports also indicate that the vulnerability has been patched, and that the risk is tied to sites that have not updated to the fixed version. Overall, sources agree that the primary impact is data exposure, which can then be used to further compromise accounts or services depending on how the exposed credentials are used.
Hackers exploit Gravity SMTP WordPress flaw to disclose API keys and configuration data
Security researchers report that attackers are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin. The issue affects an estimated 100,000...
- Attackers exploit an unauthenticated information disclosure flaw in the Gravity SMTP WordPress plugin.
- The vulnerability is identified as CVE-2026-4020 (CVSS 5.3) and is described as medium severity.
- Exploitation can disclose sensitive data including API keys, OAuth tokens, and system or configuration details.
- The Gravity SMTP plugin is installed on roughly 100,000 WordPress sites.
- Security firms report high volumes of blocked exploit attempts, and the flaw is associated with the need to update to patched versions.
Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that exposes API keys, OAuth tokens, and detailed system configuration data to anyone who sends a single unauthenticated HTTP request. Wordfence, the WordPress security firm owned by Defiant, says it has blocked more than 17 million exploit attempts targeting the flaw since activity […] This story continues at The Next Web
14 hours agoThreat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens
21 hours agoThreat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites. [...]
1 day ago
UK watchdog says former healthcare worker tried to sell Princess Kate medical records
UK authorities report that a former healthcare worker deliberately misused sensitive medical information related to Prin...
Former U.S. Olympian arrested in Washington over alleged Reflecting Pool vandalism
A former U.S. Olympian is arrested in Washington, D.C., over allegations involving vandalism at the Lincoln Memorial Ref...
Three hikers die in separate incidents at Grand Canyon amid extreme temperatures
Three hikers die from suspected heat-related illness at Grand Canyon National Park, according to U.S. park officials. Re...