# Security Brief: Gravity SMTP WordPress Plugin Flaw Exploited on Live Sites

Canonical: https://vulnify.app/blog/security-brief-gravity-smtp-wordpress-plugin-info-disclosure

Attackers are exploiting an unauthenticated information disclosure flaw in the Gravity SMTP WordPress plugin, exposing sensitive configuration data on vulnerable sites.

What happened Attackers are exploiting an unauthenticated information disclosure vulnerability in Gravity SMTP, a WordPress plugin reported to be active on around 100,000 sites. The issue is tracked as CVE-2026-4020 and allows unauthenticated access to sensitive plugin and site configuration data when vulnerable versions remain exposed. The reported exposure may include SMTP configuration details, API keys, secrets, OAuth tokens, plugin settings, and other information that can help attackers understand how a WordPress site sends email. A second related identifier, CVE-2026-8713, has also been associated with the Gravity SMTP security activity, so site owners should review vendor advisories and update guidance carefully rather than treating this as a single-field configuration issue. Gravity SMTP is used to connect WordPress sites to external email providers. That makes this class of bug especially sensitive because the exposed data may relate to trusted outbound mail infrastructure, not just WordPress itself. Why it matters for website owners SMTP and mail provider secrets are valuable because they can be abused to send phishing messages, spam, password reset emails, or customer-facing messages from infrastructure that appears legitimate. Even if attackers cannot directly take over the WordPress admin panel, exposed mail credentials can create a separate operational problem for the business. Information disclosure also helps attackers plan follow-up activity. Plugin data, configuration details, and connected services can reveal which providers a site depends on and where additional weaknesses may exist. For agencies and teams managing many WordPress installations, one overlooked plugin update can become a repeat issue across multiple client sites. What to check on your site First, confirm whether Gravity SMTP is installed and whether the installed version is affected. Update to the latest patched release from the plugin vendor, then verify that no older copy remains active on staging, development, or cloned WordPress environments. Next, rotate any SMTP, API, or OAuth credentials that may have been exposed. This should include connected mail providers and any service tokens stored in the plugin configuration. After rotating secrets, review outbound mail logs for unusual volume, unfamiliar sender patterns, or unexpected authentication activity. Check whether your WordPress environment is exposing other plugin or version details by using the Stack Checker . If you manage multiple sites, repeat this check across production and staging domains, not only the main public website. Site owners should also review general WordPress update hygiene, inactive plugins, admin access, backups, and logging. A vulnerable mail plugin is often only one part of a larger maintenance gap. Related reading For a broader hardening workflow, read the Security Hardening Checklist . It covers practical steps for reducing WordPress exposure, including plugin review, access control, backups, and routine security checks. Sources This brief is based on reporting from .
