Hackers are actively exploiting a medium-severity unauthenticated information disclosure vulnerability (CVE-2026-4020) in the Gravity SMTP WordPress plugin, affecting around 100,000 sites. The flaw allows attackers to access sensitive information such as API keys and WordPress configuration details, leading to potential impersonation and further attacks, prompting security firm Wordfence to block millions of exploit attempts.
The most valuable insight for a cybersecurity professional from this content is the immediate need to update the Gravity SMTP WordPress plugin to version 2.1.5 to mitigate the risk of exploitation from the CVE-2026-4020 vulnerability. This flaw allows unauthenticated attackers to access sensitive site information, including API keys and email service credentials, which can lead to further attacks. Monitoring for requests to ‘/wp-json/gravitysmtp/v1/tests/mock-data’ in server logs is crucial for detecting potential compromise.