Gravity SMTP Plugin Information Disclosure Enables API Key Extraction at Scale
Attackers are exploiting an unauthenticated information disclosure flaw in Gravity SMTP (CVE-2026-4020) to extract API keys, OAuth tokens, and configuration secrets from roughly 100,000 WordPress installations. The vulnerability remains exploitable despite patches because many sites run unpatched versions.
CVE References
Affected
Gravity SMTP's information disclosure vulnerability represents a textbook case of how medium-severity flaws can create outsized risk in WordPress ecosystems. The CVSS 5.3 score reflects the technical classification, but the real-world impact is substantially higher: any unauthenticated attacker can harvest API keys and OAuth tokens from sites running vulnerable versions, instantly compromising upstream services like email delivery platforms and identity providers that those sites depend on.
The technical details matter here. An unauthenticated information disclosure in a plugin installed on 100,000 sites means attackers need only point a scanner at WordPress installations to identify those running Gravity SMTP, then extract secrets without authentication barriers. The vulnerability likely exposes configuration endpoints or debug outputs that leak sensitive data. Once compromised, these credentials grant attackers persistent access to third-party services, enabling them to send phishing emails, intercept OAuth flows, or pivot deeper into connected infrastructure.
Adoption scale amplifies the threat. WordPress plugin vulnerabilities tend to remain exploitable for extended periods because update adoption is inconsistent across the 100,000 affected sites. Some organisations patch immediately; others leave plugins unmaintained for months or years. This creates a moving target for attackers with a large window of opportunity. The fact that exploitation is already occurring suggests threat actors have weaponised the flaw and are actively scanning for vulnerable instances.
Defenders should treat exposed API keys and OAuth tokens as compromised regardless of patch status. Organisations running Gravity SMTP must immediately audit configuration data, revoke any extracted credentials, monitor third-party services for unauthorised activity, and verify logs for data access during the vulnerable period. Beyond patching, this incident underscores why storing sensitive credentials in plugin configuration files remains a poor security practice. Organisations should migrate to credential management solutions that isolate secrets from plugin storage.
The broader implication is that WordPress plugin vulnerabilities affecting 100,000 sites create supply-chain exposure that extends far beyond the plugin itself. Each compromised API key potentially grants access to downstream services supporting thousands of users. This justifies treating WordPress security as infrastructure security rather than isolated application security.
Sources