336/69 Monday, June 22, 2026
Security researchers have disclosed that attackers are actively exploiting CVE-2026-4020 in the Gravity SMTP plugin for WordPress, which is installed on more than 100,000 websites. The vulnerability is an Information Disclosure issue that allows unauthenticated attackers to access system configuration data, including API keys, secrets, and OAuth tokens configured for connecting to various email services.
Reports indicate that the vulnerability stems from a REST API endpoint that lacks proper authorization checks. As a result, attackers can send requests to the affected endpoint to retrieve the website’s System Report, including the WordPress version, the list of installed plugins, system configuration details, database information, and credentials used to connect to email services such as Amazon SES, Google, Mailjet, Resend, and Zoho. Wordfence stated that it has blocked more than 17 million exploitation attempts targeting this vulnerability, with attack activity increasing in June 2026.
WordPress website administrators using Gravity SMTP version 2.1.4 or earlier should update the plugin to version 2.1.5 or later as soon as possible. They should also check for exposure of API keys, OAuth tokens, and other related secrets. If the system may have been affected, administrators should rotate all credentials used with email services and review historical logs to identify any unauthorized attempts to access sensitive information.
Source : https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html