Gravity SMTP Bug Exploited to Expose API Keys

Threat actors are exploiting CVE-2026-4020, an unauthenticated information disclosure flaw in the Gravity SMTP WordPress plugin active on 100,000 sites. The vulnerability affects versions 2.1.4 and older, patched in version 2.1.5 released March 17. Wordfence blocked over 17 million exploit attempts, with activity spiking on June 7.