Gravity SMTP WordPress Flaw Exposes API Keys and Tokens as Hackers Rush to Exploit
A critical flaw in the popular Gravity SMTP plugin for WordPress, tracked as CVE‑2026‑4020, is already under mass exploitation, with security firms blocking millions of attacks. The bug allows unauthenticated access to API keys, OAuth tokens and system information via a misconfigured REST API endpoint, putting thousands of websites and their downstream services at risk.
A misconfigured doorway in one of WordPress’s fast-growing email plugins has turned into a high-speed on-ramp for attackers. Within days of disclosure, hackers are mass-scanning for vulnerable sites running the Gravity SMTP plugin and siphoning out the keys that tie those sites to their external services.
The vulnerability, assigned CVE‑2026‑4020, affects the Gravity SMTP plugin, which is used to route WordPress emails through third-party SMTP providers and APIs for better deliverability. According to security researchers tracking the issue, the flaw sits in an unauthenticated REST API endpoint that exposes sensitive configuration data to anyone who knows where to look. That data includes API keys, OAuth tokens and various system details that can be leveraged for deeper compromise.
In practical terms, an attacker does not need an account on a target site to start pulling secrets. By sending crafted requests to the vulnerable API route, they can retrieve credentials that allow them to impersonate the site’s email identity, access connected services or pivot into other parts of the infrastructure. With many organizations wiring WordPress into CRM platforms, marketing tools and cloud providers, a single leaked key can have a much longer reach than the website itself.
Security firm Wordfence, which protects millions of WordPress installations, reports that it has already blocked more than 17 million exploit attempts targeting this single bug. That volume underscores how quickly opportunistic attackers weaponize fresh disclosures: automated bots sweep IP ranges for WordPress sites, probe for the Gravity SMTP endpoint, and harvest any secrets available. Even a low success rate can yield a large trove of credentials when spread across the internet’s vast population of small and medium sites.
For site owners, the stakes are larger than an inbox full of spam. With stolen SMTP or API credentials, attackers can send convincing phishing emails from a trusted domain, bypassing many reputation-based filters. They can potentially reset passwords on linked accounts, abuse email quotas to run scams, or use exposed tokens to interact with cloud storage and databases. In some cases, the reputational damage from a domain being blacklisted or associated with fraud can be harder to repair than the technical fallout.
The incident is another reminder of how the modern web’s convenience layer — plugins, connectors and low-code integrations — can become an attack surface in its own right. Gravity SMTP is far from the only tool to rely on REST APIs and stored credentials, but this bug shows how a single missing access control check can turn helpful automation into a credential leak at scale.
For the broader cybersecurity community, CVE‑2026‑4020 illustrates a familiar pattern: vulnerabilities in widely used third-party components can ripple outward into email infrastructure, identity systems and cloud platforms. Defending against that risk means treating plugin security with the same seriousness as core application code and recognizing that API keys and tokens are as sensitive as passwords.
The key developments to track now are the rollout and adoption of patched versions of Gravity SMTP; whether major hosting providers move to automatically disable or update vulnerable installations; and any evidence that stolen keys from this wave are being used in targeted phishing or further intrusions. The longer unpatched sites remain online, the more likely it is that today’s mass scans will evolve into tomorrow’s tailored compromises.
Sources
- OSINT