Gravity SMTP flaw leaks API keys from 100K WordPress sites

Attackers are mass-exploiting a Gravity SMTP vulnerability that exposes API keys, OAuth tokens, and system data from WordPress sites without authentication. Wordfence blocked over 17 million exploit attempts targeting the flaw, which affects all plugin versions through 2.1.4. A patch was released in version 2.1.5 on 17 March 2026.