Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that can expose sensitive system information, including API keys, OAuth tokens, plugin inventories, and server configuration details without authentication. While the flaw does not directly enable remote code execution, it highlights a persistent security challenge in the WordPress ecosystem: information disclosure vulnerabilities are often underestimated until attackers use the exposed data for reconnaissance, credential theft, and follow-on attacks.
You can get an overview here: CVE-2026-4020: Gravity SMTP WordPress Plugin Exploited
Gidi Cohen, CEO & Co-founder, Bonfy.AI had this comment
“The active exploitation of the Gravity SMTP vulnerability (CVE‑2026‑4020) to steal API keys, secrets, and full system details from WordPress sites shows how even minor plugins now sit on the front line of enterprise data exposure. An unauthenticated REST endpoint returning configuration data, plugin inventories, and third‑party email credentials gives attackers both the ability to impersonate a brand and high‑quality reconnaissance for chaining additional exploits.
Updating to version 2.1.5 and rotating exposed keys is critical, but this incident reflects a broader problem: a growing web of plugins, SaaS connectors, and AI‑enabled services moving sensitive content with limited content‑level governance. Modern data security strategies increasingly need to treat every outbound channel as a high‑risk path requiring consistent, contextual, content‑aware controls and to provide unified visibility into how unstructured data moves across websites, SaaS apps, collaboration tools, and AI systems.”