Based on reporting by The Hacker News →
Introduction
A recently patched information disclosure vulnerability in the popular Gravity SMTP WordPress plugin is now being actively exploited in the wild, giving unauthenticated attackers a direct line to sensitive API keys and OAuth tokens. This event underscores a persistent problem in the WordPress ecosystem: plugins that handle secrets often leak them by design.
The problem
According to a report from The Hacker News, threat actors are actively exploiting CVE-2026-4020, a medium-severity information disclosure flaw in the Gravity SMTP WordPress plugin. The plugin is installed on approximately 100,000 sites. The vulnerability, carrying a CVSS score of 5.3, allows any unauthenticated attacker to extract configuration data, including API keys, secrets, and OAuth tokens. The report credits The Hacker News with breaking the story (thehackernews.com).
Consequences
When an attacker obtains API keys for third-party email services (like SendGrid, Mailgun, or Amazon SES), they can abuse those accounts to send spam, launch phishing campaigns, or drain the site owner's prepaid credits. OAuth tokens are even more dangerous: they can grant persistent access to connected services, potentially allowing an attacker to read, modify, or exfiltrate data from the linked application. For SaaS platforms or e-commerce stores relying on transactional emails, a compromised SMTP relay can also break critical business workflows.