Gravity SMTP Flaw Under Active Attack on 100k Sites

Michael Miller · 2026-06-19

If you manage a WordPress site, you probably know how crucial email deliverability is. That's why plugins like Gravity SMTP are so popular, helping over 100,000 sites get their messages through. But right now, there's a serious problem that needs your attention: hackers are actively exploiting a vulnerability in this plugin, and they don't even need a password to do it. This isn't just some theoretical risk. Threat actors are already using this bug to pull sensitive information from vulnerable sites. And since the plugin handles email logs, that could mean leaked passwords, user data, or other private details. Let's break down what's happening and how you can protect yourself. ### What is the Gravity SMTP Vulnerability? The flaw is an unauthenticated information disclosure bug. In plain English, that means anyone can access it without logging in. The vulnerability allows attackers to read sensitive data stored by the plugin, like email logs and configuration settings. Since Gravity SMTP handles all your site's outgoing mail, those logs can contain a treasure trove of information. Here's what makes this especially dangerous: - No authentication needed: Attackers don't need a username or password to exploit it. - Wide reach: Over 100,000 sites use this plugin, making it a high-value target. - Sensitive data at risk: Email logs often include usernames, passwords, and other personal info. If you're running an older version of Gravity SMTP, your site could already be compromised. The developers have released a patch, so updating is your first line of defense. ### How Hackers Are Exploiting It Security researchers have spotted active attacks in the wild. Hackers are scanning for sites with the vulnerable plugin and then sending specially crafted requests to pull out the data. Because the exploit doesn't require authentication, it's easy to automate. That means thousands of sites can be targeted in a single campaign. Once they have the email logs, attackers can use that info to launch further attacks. For example, they might try to log into your admin panel with credentials they find, or use the data for phishing scams. Think of it like someone finding your mailbox key and then using it to steal your mail. ### What You Should Do Right Now If you use Gravity SMTP, don't wait. Here's your action plan: - Update the plugin immediately: Check your WordPress dashboard for the latest version. If there's an update, install it now. - Check for signs of compromise: Look for unfamiliar admin users, strange outbound emails, or unusual activity in your logs. - Change all passwords: If your site was compromised, change every password, especially admin and email account passwords. - Review email logs: See if any sensitive info was exposed and take steps to notify affected users if needed. For most people, updating the plugin is enough. But if you have a high-traffic site or handle sensitive user data, consider doing a full security audit. Better safe than sorry. ### Why This Matters for Your Business WordPress powers over 40% of the web, and plugins like Gravity SMTP are essential tools. But they're also a common attack vector. This incident is a reminder that even trusted plugins can have flaws. The key is staying proactive. Think of it like locking your front door. You wouldn't leave it wide open, right? The same goes for your website. Regular updates, strong passwords, and monitoring are your best defense. And if you're using antidetect browsers for your own work, you already understand the importance of staying ahead of threats. ### Final Thoughts Security isn't a one-time thing. It's an ongoing process. The Gravity SMTP vulnerability is being actively exploited, but you can protect yourself by acting fast. Update your plugin, check for signs of trouble, and keep your site locked down. If you need help, there are plenty of security plugins and services that can automate some of this work. Stay safe out there, and keep your WordPress site secure.