Hackers Target Gravity SMTP WordPress Plugin Bug

Michael Miller · 2026-06-19

A serious security flaw in the Gravity SMTP WordPress plugin is being actively exploited by hackers, putting over 100,000 websites at risk. This unauthenticated information disclosure vulnerability lets attackers access sensitive data without needing any login credentials. If you are using this plugin, it is time to pay attention. ### What Is Gravity SMTP and Why Does It Matter? Gravity SMTP is a popular plugin designed to help WordPress sites send emails reliably. It handles everything from password resets to contact form submissions. When it works right, it is a lifesaver. But when a bug like this shows up, it becomes a liability. The current vulnerability allows anyone to view logs and configuration details that should be private. Think of it like leaving your mailroom door wide open. ### How Hackers Are Exploiting This Bug Threat actors are scanning the web for sites running vulnerable versions of Gravity SMTP. They send a specially crafted request to a specific endpoint, and the server spills the beans. No authentication required. This means they can grab email server credentials, API keys, and other secrets stored in plain text. Once they have that info, they can send spam, intercept messages, or even pivot to other parts of your site. - Attackers need zero login info to exploit this. - They target sites with outdated versions of the plugin. - The exposed data can lead to full site compromise. ### Steps to Protect Your Site Right Now First, update Gravity SMTP to the latest version immediately. The developers have already released a patch that fixes this vulnerability. If you are not sure which version you are running, check your plugins page. Second, rotate any credentials that might have been exposed, including SMTP passwords and API keys. Third, review your server logs for unusual activity. Look for requests to the plugin's debug endpoint from unknown IP addresses. > "The best defense is a quick update. Delaying gives hackers a window of opportunity." ### Why This Vulnerability Is Especially Dangerous What makes this bug stand out is how easy it is to exploit. There is no need for brute force or social engineering. A single HTTP request can reveal everything. For small business owners who rely on their WordPress site for sales and communication, this is a nightmare scenario. A compromised email setup can damage customer trust and lead to data breaches. ### Long-Term Security Habits to Adopt This incident is a reminder to stay proactive about security. Keep all plugins and themes updated. Remove any plugins you no longer use. Use strong, unique passwords for your email services. Consider adding a security plugin that monitors for vulnerabilities. And always back up your site regularly. A good backup can save you if something goes wrong. - Update plugins weekly. - Delete unused plugins. - Use a web application firewall. - Monitor for unusual traffic. ### Final Thoughts The Gravity SMTP bug is a serious threat, but it is also a solvable one. By updating now and following best practices, you can close the door on attackers. Do not wait until your site is compromised. Take action today to keep your WordPress site safe and your data secure.