Gravity SMTP Plugin Bug Lets Hackers Steal API Keys

Robert Moore · 2026-06-20

If you're running a WordPress site with the Gravity SMTP plugin, you might want to sit down for this one. A serious security flaw has been discovered in this popular plugin, which is installed on roughly 100,000 websites. And the bad news? Hackers are already exploiting it. The vulnerability, officially tracked as CVE-2026-4020, carries a CVSS score of 5.3, which puts it in the medium-severity range. But don't let that rating fool you—it's a nasty information disclosure bug that lets unauthenticated attackers grab sensitive data right out of your site's configuration. We're talking API keys, secrets, OAuth tokens, and other credentials that could give someone the keys to your digital kingdom. ### What Exactly Is Gravity SMTP? Gravity SMTP is a WordPress plugin designed to handle email delivery. It's the kind of tool that quietly does its job in the background, making sure your site's emails actually reach people's inboxes instead of getting lost in spam folders. It connects to email service providers using SMTP servers, and to do that, it needs to store sensitive configuration details—like API keys and authentication tokens. That's where the problem starts. When a plugin stores this kind of data, any flaw that exposes it becomes a serious risk. And in this case, the flaw allows attackers to bypass authentication entirely. They don't need a username or password. They just need to know how to send a specially crafted request to your site. ### How the Exploit Works The exploit targets how Gravity SMTP handles certain API requests. Because the plugin fails to properly validate access before returning configuration data, an attacker can send a request that tricks the plugin into spilling its secrets. No login required. - The attacker sends a crafted HTTP request to a vulnerable endpoint. - The plugin responds with stored configuration data, including API keys and OAuth tokens. - The attacker then uses those credentials to access third-party services, send spam, or pivot to other attacks. This isn't a theoretical risk. Security researchers have already observed active exploitation in the wild. That means real sites are being targeted right now. ### Why This Matters for Your Business If you're using Gravity SMTP, your email service provider credentials are at risk. An attacker who gets those keys could: - Send thousands of spam emails from your account. - Access sensitive email data if your provider stores it. - Use the credentials to breach other services that rely on the same API keys. The impact goes beyond just your WordPress site. Many businesses reuse API keys across multiple platforms, so a single leak can have a domino effect. ### What You Need to Do Right Now First, check what version of Gravity SMTP you're running. If it's older than the patched release, update immediately. The plugin developers have already released a fix, so there's no excuse to leave this gap open. Here's a quick checklist: - Update Gravity SMTP to the latest version. - Rotate any API keys or OAuth tokens that were stored in the plugin. - Review your email service provider logs for suspicious activity. - Consider using a web application firewall (WAF) to block exploit attempts. ### The Bigger Picture This isn't just about one plugin. It's a reminder that every piece of software you install on your site is a potential attack surface. Plugins that handle authentication data are especially risky because they become high-value targets. The best defense is a proactive one: keep everything updated, limit what each plugin can access, and monitor for unusual behavior. If you're serious about protecting your digital assets, this is a wake-up call. Don't wait for a breach to take security seriously. Update now, rotate your keys, and stay vigilant.