New vulnerability in Gravity SMTP puts WordPress API keys at risk
Nearly 100,000 WordPress sites are exposed following the discovery of a critical flaw that allows the leakage of sensitive credentials.

The vulnerability threatening WordPress security
The WordPress plugin ecosystem is once again in the spotlight following the discovery of a medium-severity vulnerability in the popular Gravity SMTP plugin. With approximately 100,000 active installations, this incident underscores once again the importance of maintaining rigorous digital hygiene on websites, as a simple configuration error can open the door to malicious attackers.
The flaw, identified under the code CVE-2026-4020 with a CVSS score of 5.3, allows unauthenticated users to extract critical system information. Among the exposed data are internal settings, API keys, secrets, and OAuth tokens—elements that often serve as the master key for escalating privileges or moving laterally within a corporate network.
Risks of a data breach
Why is this hack dangerous?
Although a score of 5.3 is not classified as critical in terms of remote code execution, the danger lies in the sensitivity of the leaked information. If an attacker manages to obtain credentials for email services or external integrations, they could use this data to:
- Launch highly convincing phishing campaigns using legitimate domains.
- Intercept private communications sent via the SMTP server.
- Facilitate access to other connected services, which could eventually lead to a ransomware attack if the attackers manage to compromise the entire infrastructure.
"The security of a website is only as strong as its weakest component; a single data leak can compromise an entire company's security architecture," warn cybersecurity experts.
Recommendations for administrators
As we have seen recently with the Beats Studio Buds vulnerability: Bluetooth security risks, the human factor and constant software updates are the best defenses. To mitigate the effects of this hack, it is imperative that system administrators do the following:
- Update immediately: Ensure you have the latest available version of the Gravity SMTP plugin, where the patch has already been implemented.
- Rotate credentials: If your site has been exposed, it is strongly recommended to regenerate all API keys and tokens that were managed by the plugin.
- Audit logs: Review access logs for suspicious requests that may have attempted to exploit this flaw prior to the update.
Computer security is not a static state, but a continuous process of vigilance. Staying informed about these attack vectors is the best tool to avoid compromising the integrity of your digital assets.
Sources: The Hacker News (2026)
Related articles
11 de julio de 2026
Condemna històrica: membre de la banda Ryuk ransomware admet la seva culpabilitat
Un ciutadà armeni es declara culpable als EUA pel desplegament de ransomware Ryuk, afrontant una possible sentència de 15 anys de presó.
11 de julio de 2026
Historic Conviction: Ryuk Ransomware Gang Member Admits Guilt
An Armenian national pleads guilty in the U.S. for deploying Ryuk ransomware and faces a potential 15-year prison sentence.
11 de julio de 2026
Condena histórica: miembro de la banda Ryuk ransomware admite su culpa
Un ciudadano armenio se declara culpable en EE. UU. por el despliegue de ransomware Ryuk, enfrentando una posible sentencia de 15 años de prisión.
10 de julio de 2026
Hackers exploten Microsoft Entra: Nova vulnerabilitat en passkeys
Un grup d'actors maliciosos utilitza enginyeria social per comprometre comptes de Microsoft 365 mitjançant falsos registres de passkeys a Entra.
Loading comments...