# Security Brief: Gravity SMTP WordPress Plugin Bug Exposes API Keys

Canonical: https://vulnify.app/blog/security-brief-gravity-smtp-wordpress-plugin-api-key-exposure

Attackers are exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin to expose configuration data, API keys, secrets, and OAuth tokens from vulnerable sites.

What happened Threat actors are exploiting a recently patched information disclosure vulnerability in the Gravity SMTP WordPress plugin. The issue is tracked as CVE-2026-4020 and affects a plugin reported to be installed on roughly 100,000 WordPress sites. The flaw allows unauthenticated visitors to access sensitive plugin and system data through a REST API endpoint. Reported exposed data includes configuration details, WordPress and server version information, active plugins and themes, database details, API keys, secrets, and OAuth tokens used by connected email services. The issue has been patched in Gravity SMTP version 2.1.5. Site owners using the plugin should update immediately and treat exposed third-party email credentials as potentially compromised. Why it matters for website owners Email integration secrets are high-value because they may allow attackers to send mail through trusted infrastructure. That can lead to phishing, spam abuse, account recovery attacks, and damage to domain reputation. The system report exposure also gives attackers a map of the WordPress stack, including plugin versions and server details. That information can make follow-up attacks easier, especially if other outdated components are present. What to check on your site First, confirm whether Gravity SMTP is installed and update it to version 2.1.5 or later. Then rotate any exposed mail provider credentials, including API keys or OAuth tokens for services such as Amazon SES, Google, Mailjet, Resend, or Zoho. Review web server logs for suspicious unauthenticated requests to Gravity SMTP REST API paths, especially requests using a settings-related query parameter. Also check whether your WordPress stack has other outdated plugins by using the Stack Checker . If any exposed value resembles a bearer token or encoded token used during testing, validate it safely with the Token Decoder . Do not paste live production secrets into third-party tools. Related reading For broader WordPress hardening steps, read the Security Hardening Checklist . It covers plugin hygiene, account protection, update discipline, and practical checks for reducing exposure on public WordPress sites. Sources This brief is based on reporting from Hacker News .
