Gravity SMTP Bug Puts 100,000 WordPress Sites at Risk

Thousands of WordPress sites are now exposed after attackers began actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP plugin, which is installed on 100,000 sites. The flaw allows unauthorized access to sensitive data, raising immediate concerns for site owners who rely on the plugin to manage email delivery.

A Silent but Serious Exposure

Security researchers have confirmed that the vulnerability, tracked under CVE-2024-5578, enables attackers to retrieve configuration details and other sensitive information without any authentication. While the plugin’s developer has released a patched version, many users have not updated, leaving their sites vulnerable to data harvesting and potential follow-up attacks. WordPress administrators are urged to install the latest update immediately to prevent unauthorized access.

What’s at Stake and Who’s Affected

The Gravity SMTP plugin is widely used to route WordPress emails through external SMTP servers, improving deliverability and reliability. With such a large user base, the impact of this breach extends beyond individual sites to any business or service relying on WordPress for email communication. Attackers could exploit exposed data to craft more convincing phishing campaigns or gain further access to internal systems. The urgency to patch underscores the broader challenge of maintaining security in an ecosystem where plugins are common entry points for compromise.

---

Source: BleepingComputer. AI-assisted editorial synthesis — TechnoExpress.