- A WordPress plugin flaw exposes API keys and system data on roughly 100,000 sites.
- The vulnerability allows unauthenticated attackers to harvest credentials for email services.
- Over 17 million exploit attempts have been blocked by Wordfence since May 2026.
- Site owners must update the Gravity SMTP plugin and rotate all compromised credentials immediately.
Threat actors are actively exploiting a medium-severity vulnerability in the Gravity SMTP WordPress plugin, installed on approximately 100,000 websites, to steal sensitive configuration data and API keys. The flaw, tracked as CVE-2026-4020, was disclosed on June 20, 2026, and allows attackers to access internal system reports without authentication.
This vulnerability exists because a specific REST API endpoint lacks proper access controls, according to a report by Wordfence. Consequently, unauthenticated requests can return nearly 365 KB of JSON data containing a full site system report.
The exposed information includes PHP version, database details, active plugins, and live third-party API keys for services like Amazon SES and Google. Attackers can then abuse these credentials to send emails from the compromised site and gather intelligence for further attacks.
Wordfence has blocked more than 17 million exploit attempts targeting this vulnerability to date. Initial activity began in early May 2026 before spiking dramatically in June, reaching over 4 million requests in a single day.
The attacks originate from a list of specific IP addresses, including 45.148.10.95 and 185.8.107.155. Meanwhile, a patch for the issue is available in Gravity SMTP version 2.1.5.
Site owners using vulnerable versions must update the plugin immediately and assume their connected credentials are compromised. They should also rotate all exposed API keys and OAuth tokens configured for the plugin’s email integrations.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
