Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Hackers are exploiting a security vulnerability in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 websites. The flaw, identified as CVE-2026-4020 with a CVSS score of 5.3, is a medium-severity information disclosure issue. This vulnerability allows unauthenticated attackers to access and extract sensitive information, including configuration data, API keys, secrets, and OAuth tokens. The Gravity SMTP plugin is used to send emails from WordPress sites. The vulnerability was patched by the developers, but active exploitation indicates that many sites have not yet updated their plugin to the secure version. The potential for API keys to be compromised poses a significant risk, as these keys can grant unauthorized access to various services and platforms, potentially leading to further security breaches or financial losses.