Gravity SMTP Vulnerability Exposes API Keys on 100,000 WordPress Sites

Threat actors are exploiting the Gravity SMTP vulnerability (CVE-2026-4020) to siphon API keys from roughly ↑ 100,000 WordPress installations.

Gravity SMTP vulnerability details

The flaw, rated ↓ 5.3 on the CVSS scale, is an information‑disclosure issue that permits unauthenticated requests to retrieve configuration files, API secrets and OAuth tokens.

Attack vector and impact

By sending a crafted HTTP request to the plugin’s endpoint, attackers can pull the wp_options entry that stores the SMTP service credentials, effectively compromising any integrated email service.

“The ease of exploitation makes this one of the most urgent patches of the year,” said a senior analyst at Bloomberg.

Must Read Intel Access the extended global dispatch

Related Intel: AI Pressures Redefine How Cybersecurity Teams Operate

WordPress sites that have not applied the December 2025 update remain exposed, and security firms advise immediate remediation and rotation of all exposed keys.

For broader context on WordPress plugin attacks, see Reuters.