Security researchers have identified active exploitation of a recently discovered vulnerability in the Gravity SMTP WordPress plugin, putting approximately 100,000 websites at potential risk of data compromise. This developing situation underscores the ongoing challenge of securing WordPress environments against rapidly emerging threats.
The vulnerability, designated CVE-2026-4020 with a medium-severity CVSS score of 5.3, exists within the Gravity SMTP plugin—a widely used extension designed to handle email functionality on WordPress sites. The security flaw allows unauthenticated threat actors to extract sensitive information from vulnerable installations. This includes configuration data, API keys, secrets, and OAuth tokens, which could be leveraged for further attacks against the affected websites or integrated services.
What makes this vulnerability particularly concerning is that attackers can exploit it without requiring any authentication credentials. The plugin's developer has released a patch addressing the security weakness, but the active exploitation indicates that not all website administrators have applied the necessary updates in a timely manner. Any WordPress site running an outdated version of