Gravity SMTP Plugin CVE-2026-4020: Medium‑Severity Info Disclosure Flaw Exploited on 100,000 WordPress Sites

Threat actors are exploiting a recently patched security flaw in the Gravity SMTP WordPress plugin, identified as CVE-2026-4020. The vulnerability, with a CVSS score of 5.3, is a medium‑severity information disclosure flaw that allows unauthenticated attackers to extract sensitive data. The data exposed includes configuration data, API keys, secrets, and OAuth tokens used by the plugin. Gravity SMTP is installed on approximately 100,000 WordPress sites worldwide. The flaw was discovered and patched by the plugin developers, but many sites remain unpatched. The vulnerability is tracked as CVE-2026-4020 and poses a risk to site administrators. Attackers could leverage the exposed credentials to compromise connected services. The plugin's recent patch addresses the flaw by tightening input validation and restricting data exposure.

Site owners using Gravity SMTP must update to the latest version to mitigate the risk. Failure to patch could lead to credential theft and unauthorized access to third‑party services. The vulnerability highlights the importance of keeping plugins up to date. WordPress administrators should verify that Gravity SMTP is running the patched release. The incident serves as a reminder that even medium‑severity flaws can have significant impact. Prompt action is required to secure affected sites. The plugin developers have released a fix that resolves the information disclosure. Administrators should apply the update immediately.