Gravity SMTP Bug Lets Hackers Steal WordPress API Keys

Hackers are actively exploiting a security gap in Gravity SMTP, a widely used WordPress plugin with around 100,000 installations, to steal sensitive credentials. The flaw, tracked as CVE-2026-4020 and rated medium severity with a CVSS score of 5.3, allows unauthenticated attackers to access configuration data, API keys, secrets, and OAuth tokens without needing to log in.

How the Attack Works

The vulnerability stems from an information disclosure issue in Gravity SMTP, enabling remote actors to extract confidential details from affected WordPress sites. Since the plugin handles email delivery and authentication for many users, compromised API keys could grant attackers control over email services or linked third-party accounts.

Immediate Steps for Users

Site administrators running Gravity SMTP should update the plugin to the latest version as soon as possible. WordPress users may also check for unauthorized access or unusual activity in their email configurations and API integrations. Security teams recommend rotating exposed keys and monitoring for signs of misuse.

---

Source: The Hacker News. AI-assisted editorial synthesis — TechnoExpress.