Hackers are actively exploiting a security flaw in Gravity SMTP, a WordPress plugin installed on approximately 100,000 websites, to extract API keys, secrets, and OAuth tokens without needing to log in.
The vulnerability—tracked as CVE-2026-4020 with a CVSS severity score of 5.3—is classified as a medium-severity information disclosure flaw. What makes it particularly dangerous is that it requires no authentication. Any attacker can access sensitive configuration data and authentication credentials simply by knowing a vulnerable site exists.
- No Login Required: CVE-2026-4020 allows any attacker to extract API keys and OAuth tokens from vulnerable sites without any authentication credentials.
- Scale of Exposure: Approximately 100,000 WordPress sites running Gravity SMTP are potentially affected, creating an enormous attack surface that criminals are actively scanning.
- Cascading Compromise: A single successful exploit can yield credentials for Google Workspace, Microsoft 365, payment processors, and CRM systems—turning one plugin flaw into a multi-service breach.
Gravity SMTP is a legitimate plugin designed to handle email delivery for WordPress sites, making it a natural target for attackers seeking to compromise website infrastructure. The plugin’s widespread adoption across 100,000 sites means the attack surface is enormous. Once an attacker obtains API keys or OAuth tokens from a compromised WordPress installation, they can potentially access connected services, send emails impersonating the site owner, or pivot to other systems that share the same credentials.
The flaw has been patched, according to the security disclosure, but the critical window between public awareness of the vulnerability and widespread patching across all 100,000 installations creates an active exploitation window. Site owners who have not yet updated their Gravity SMTP plugin remain exposed to real-time credential theft. The Capital One breach demonstrated how a single misconfiguration in a widely trusted system can cascade into unauthorized access across connected infrastructure—the same structural risk applies here.
What Can Attackers Actually Extract From a Vulnerable Site?
What attackers can extract from a vulnerable Gravity SMTP installation extends beyond simple email credentials. OAuth tokens—which grant access to third-party services like Google Workspace, Microsoft 365, or other cloud platforms—can be harvested and reused. API keys for payment processors, CRM systems, or analytics platforms may also be exposed, depending on how the site owner has configured the plugin. This cascading credential exposure transforms a single WordPress vulnerability into a multi-service compromise.
• 100,000 WordPress sites running Gravity SMTP are potentially exposed to unauthenticated credential extraction
• Over 58,000 plugins exist in the official WordPress repository, each representing a potential unpatched attack surface
• CVSS score of 5.3 classifies CVE-2026-4020 as medium severity, yet the absence of any authentication requirement elevates real-world risk significantly
The pattern here mirrors a structural vulnerability that defined the Cambridge Analytica scandal: the harvesting of authentication credentials at scale to gain access to downstream systems and user data. In that case, Facebook API tokens obtained through a personality quiz allowed unauthorized access to millions of user profiles. Here, the mechanism is different—a plugin flaw instead of social engineering—but the outcome is identical: attackers gain legitimate-looking credentials that let them move through connected systems undetected. The scale is smaller but the principle is the same: one compromised authentication layer becomes a master key to everything downstream. The broader trajectory of how that model of credential-based access evolved into today’s influence operations is documented in the history from Cambridge Analytica to TikTok.
Why WordPress Plugin Vulnerabilities Are Structurally Difficult to Contain
WordPress site owners relying on Gravity SMTP should treat this as a priority update. The plugin ecosystem’s strength—its modularity and ease of installation—is also its weakness. A single unpatched plugin on a site can expose not just that site’s data, but credentials that unlock access to email accounts, customer databases, payment systems, and cloud storage tied to the business running that site.
• Research published in Applied Sciences on proactive vulnerability detection in CMS plugins using static taint analysis found that automated scanning methods can identify injection and disclosure flaws before exploitation—yet most WordPress site owners rely entirely on manual update processes.
• Analysis published in IEEE Access on blending static and dynamic analysis for web application security demonstrates that information disclosure vulnerabilities in plugins frequently go undetected until active exploitation is already underway.
• A methodology study from IEEE Xplore cataloguing WordPress plugins with first-order vulnerabilities confirms that the plugin ecosystem consistently produces exploitable flaws at a rate that outpaces the patching behavior of average site administrators.
What Should Site Owners Do If They Were Running the Vulnerable Version?
For site administrators, the immediate action is clear: update Gravity SMTP to the patched version as soon as possible. For those uncertain whether they’re running the plugin, checking the installed plugins list in the WordPress admin dashboard takes seconds. The harder question is what to do if a site was running the vulnerable version during the window when attackers were actively exploiting it. In that case, API keys and OAuth tokens should be considered compromised. Site owners should rotate any credentials that were stored in Gravity SMTP configuration, revoke OAuth tokens for connected services, and monitor those services for unauthorized access or activity.
The disclosure also raises a broader question about WordPress plugin security. With over 58,000 plugins in the official WordPress repository and millions more distributed privately, the responsibility for security falls heavily on individual site owners to stay informed about vulnerabilities and apply patches promptly. A single overlooked update across 100,000 installations represents a massive attack surface that criminals are actively scanning and exploiting. Understanding how to manage the digital debris left behind by compromised credentials—including what data deletion and rotation actually covers—is explored in the context of data deletion services and their growing role in post-breach recovery.
• Unauthenticated information disclosure flaws are among the most operationally dangerous vulnerability classes precisely because they require no prior foothold—an attacker needs only to identify a vulnerable installation and issue a crafted request.
• OAuth tokens harvested from a plugin configuration do not expire automatically upon discovery of a breach; they remain valid until explicitly revoked, meaning the exploitation window extends well beyond the initial compromise.
• The broader implication for WordPress ecosystems is that credential hygiene—rotating keys, auditing OAuth grants, and monitoring third-party service access logs—must become a routine operational practice, not a post-incident response.
The next few weeks will determine how many of those 100,000 sites successfully patch before attackers harvest credentials at scale. The structural lesson from cases like this—and from the longer history of how harvested credentials enable downstream access across interconnected systems, a pattern examined in depth through the lens of data colonialism—is that authentication infrastructure is only as strong as its weakest integration point. For site owners still running the vulnerable version, the window to act is now.
