Hackers Actively Exploiting Gravity SMTP WordPress Plugin Vulnerability (CVE-2026-4020) to Expose API Keys

Threat actors are actively exploiting a recently patched medium-severity information disclosure flaw (CVE-2026-4020, CVSS score: 5.3) in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites. The vulnerability allows unauthenticated attackers to extract sensitive data, including configuration data, API keys, secrets, and OAuth tokens, due to an unconditionally accessible REST API endpoint. Users are advised to update to version 2.1.5 immediately and rotate credentials if third-party email integrations were configured.