Gravity SMTP Plugin Bug Under Active Attack

Michael Miller · 2026-06-19

If you run a WordPress site, you probably rely on plugins to handle everything from backups to email delivery. Right now, one of those email plugins is under active attack, and it’s a big deal. The Gravity SMTP plugin, installed on over 100,000 sites, has a serious flaw that hackers are exploiting in the wild. ### The Vulnerability: What’s Going On? This isn’t just a minor glitch. We’re talking about an unauthenticated information disclosure vulnerability. In plain English, that means anyone on the internet can poke at your site and pull out sensitive data without even logging in. No password needed. No admin access required. Just a few well-crafted requests, and boom—your site’s secrets are out. The bug lives inside the Gravity SMTP plugin, which is designed to help your WordPress site send emails reliably through SMTP servers. It’s a popular choice because it simplifies a notoriously tricky part of running a site. But popularity also makes it a prime target. When a plugin has 100,000 active installations, attackers pay attention. ### What Data Is Leaking? Here’s where it gets scary. The information that can be exposed includes things like SMTP credentials—usernames, passwords, and server details. Think about that for a second. Those credentials could give an attacker access to your email server, letting them send spam, intercept messages, or pivot to other parts of your infrastructure. But it doesn’t stop there. Depending on how your site is configured, the bug could also reveal internal paths, database details, or other configuration data. It’s like leaving your house keys under the mat and then posting the address online. ### How the Attack Works Threat actors are exploiting this flaw in a straightforward way. They don’t need to trick you into clicking a link or downloading a file. Instead, they send a specially crafted HTTP request to your site’s vulnerable endpoint. The plugin then responds with the sensitive data, all neatly packaged. No authentication checks, no validation, just a direct leak. This kind of attack is particularly dangerous because it’s silent. You won’t see a login attempt or a suspicious file on your server. The leak happens through normal web traffic, which blends in with legitimate requests. ### What You Should Do Right Now If you’re using Gravity SMTP, don’t panic, but do act fast. Here’s a checklist to follow: - Update the plugin immediately. The developers have likely released a patch. Check your WordPress dashboard for updates. - If no patch is available yet, disable the plugin until one is released. It’s better to lose email functionality temporarily than to have your site compromised. - Rotate any SMTP credentials you’ve stored in the plugin. Change passwords for your email server and any related accounts. - Monitor your site logs for unusual activity. Look for requests to the plugin’s endpoint that don’t come from your own IP. - Consider using a security plugin that adds a web application firewall (WAF) to block exploit attempts. ### Why This Matters for Your Business Hackers aren’t just targeting big corporations anymore. Small and medium-sized businesses are frequent targets because they often have weaker defenses. A compromised email server can lead to lost customer trust, data breaches, and even legal trouble if sensitive information like client emails or payment details gets out. Think about how much you rely on email. It’s the backbone of communication for most businesses. Losing control of it can grind operations to a halt. ### The Bigger Picture This attack is a reminder that no plugin is immune to vulnerabilities. Even well-maintained, popular plugins can have bugs. The key is staying vigilant. Regular updates, backups, and security audits aren’t optional anymore—they’re essential. Also, consider limiting the number of plugins you use. Each one is a potential entry point for attackers. Stick with reputable developers who have a track record of quick patches and transparent communication. ### Final Thoughts The Gravity SMTP bug is being actively exploited right now. Don’t wait until you see signs of a breach. Update your plugin, change your credentials, and keep an eye on your site. A few minutes of proactive work can save you weeks of cleanup later. Stay safe out there.