LOWVulnerability
Global

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

·Source: The Hacker News

Updated:

Executive Summary

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens

Analysis

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens

Indicators of Compromise (1)

CVE (1)
CVE-2026-4020
Source Attribution

Originally published by The Hacker News on Jun 20, 2026.

Related Threats