Hackers are widely exploiting a Gravity SMTP vulnerability to extract API keys from 100,000 WordPress websites.

      TL;DR: Wordfence has blocked over 17 million attempts to exploit a vulnerability in the Gravity SMTP plugin, which leaks API keys and system data from WordPress sites without requiring authentication. Attackers are taking advantage of this flaw, which affects all versions up to 2.1.4, by sending unauthenticated HTTP requests. The issue, identified as CVE-2026-4020 and rated 5.3 on the CVSS scale, involves a REST API endpoint that does not check for authentication, allowing attackers to retrieve sensitive information such as API keys and system configuration data. This data includes details that could be used for phishing attacks or to compromise the site further.

      The full system report exposed by this vulnerability contains crucial information like the WordPress version, PHP version, active plugins, and database details. Wordfence reported a dramatic increase in exploit attempts around June 6, 2026. CrowdSec also confirmed the timeline of the exploitation and noted its incorporation into automated scanning routines. The vulnerability stems from a coding error where a permission callback function erroneously returns true for all requests.

      While updating to version 2.1.5 fixes the vulnerability by closing the endpoint, it does not invalidate any API keys that may have been exposed prior to the update. Consequently, site owners are advised to treat their systems as compromised, update the plugin, and rotate their API keys. Additionally, many sites remain vulnerable due to delays in applying patches. Wordfence has also issued an advisory for another vulnerability in the Avada Builder plugin, allowing file deletion via a path traversal bug, though no exploitation of that flaw has been reported yet. They did not attribute the exploitation of Gravity SMTP to any specific group, suggesting that it appears to be a form of opportunistic credential harvesting.