SyncWave Blog
Cybersecurity 2 min read 97

New vulnerability in Gravity SMTP puts WordPress API keys at risk

Nearly 100,000 WordPress sites are exposed following the discovery of a critical flaw that allows the leakage of sensitive credentials.

cyber security firewall

The vulnerability threatening WordPress security

The WordPress plugin ecosystem is once again in the spotlight following the discovery of a medium-severity vulnerability in the popular Gravity SMTP plugin. With approximately 100,000 active installations, this incident underscores once again the importance of maintaining rigorous digital hygiene on websites, as a simple configuration error can open the door to malicious attackers.

The flaw, identified under the code CVE-2026-4020 with a CVSS score of 5.3, allows unauthenticated users to extract critical system information. Among the exposed data are internal settings, API keys, secrets, and OAuth tokens—elements that often serve as the master key for escalating privileges or moving laterally within a corporate network.

Risks of a data breach

Why is this hack dangerous?

Although a score of 5.3 is not classified as critical in terms of remote code execution, the danger lies in the sensitivity of the leaked information. If an attacker manages to obtain credentials for email services or external integrations, they could use this data to:

  • Launch highly convincing phishing campaigns using legitimate domains.
  • Intercept private communications sent via the SMTP server.
  • Facilitate access to other connected services, which could eventually lead to a ransomware attack if the attackers manage to compromise the entire infrastructure.

"The security of a website is only as strong as its weakest component; a single data leak can compromise an entire company's security architecture," warn cybersecurity experts.

Recommendations for administrators

As we have seen recently with the Beats Studio Buds vulnerability: Bluetooth security risks, the human factor and constant software updates are the best defenses. To mitigate the effects of this hack, it is imperative that system administrators do the following:

  1. Update immediately: Ensure you have the latest available version of the Gravity SMTP plugin, where the patch has already been implemented.
  2. Rotate credentials: If your site has been exposed, it is strongly recommended to regenerate all API keys and tokens that were managed by the plugin.
  3. Audit logs: Review access logs for suspicious requests that may have attempted to exploit this flaw prior to the update.

Computer security is not a static state, but a continuous process of vigilance. Staying informed about these attack vectors is the best tool to avoid compromising the integrity of your digital assets.


Sources: The Hacker News (2026)

Share:

Comments

Loading comments...

Contact

Want to get in touch?

Questions, suggestions or proposals — write to us and we will respond.