ShellCodeX
Tools • Events • News • Insights
ShellCodeX Intelligence Brief
MEDIUM Vulnerabilities

Gravity SMTP WordPress flaw CVE-2026-4020 leaks API keys and secrets

Source headline: Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat level Medium
Signal strength 70/100
Source confidence 1 source
Published 2 hours ago

Intelligence Summary

Attackers are exploiting a patched vulnerability in the Gravity SMTP WordPress plugin. The issue, tracked as CVE-2026-4020, is an unauthenticated information disclosure flaw. It can expose sensitive configuration details, including API keys, secrets, and OAuth tokens. The plugin is widely deployed, reportedly on around 100,000 WordPress sites. Site owners should ensure Gravity SMTP is updated to the fixed version and rotate any exposed credentials.

Recommended Action

Review source details and prioritize according to asset exposure.

Topics

#cve #wordpress #api-keys #information-disclosure #smtp
Original reporting The Hacker News Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Open original source

Related Pulse Signals

View all signals
High · Vulnerabilities Gravity SMTP WordPress plugin leaks data without authentication, attackers abuse bug Critical · Vulnerabilities CISA warns agencies to patch actively exploited Splunk Enterprise flaws by Sunday High · Vulnerabilities Apple patches CVE-2025-20701 in Beats Studio Buds Bluetooth audio pairing Critical · Vulnerabilities Splunk Enterprise CVE-2026-20253 enables unauthenticated RCE shortly after disclosure