Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

Threat actors are actively exploiting CVE-2026-4020, an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin active on 100,000 sites. The flaw exposes a REST API endpoint that returns a system report with email service credentials. Wordfence has blocked over 17 million exploit attempts since June 7.