EarlyNarratives
Pricing
Start free trialSign in
Start free trialSign in
Signal

Hackers actively exploit information disclosure vulnerability in Gravity SMTP WordPress plugin

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-06-19 20:25 UTCUpdated 2026-06-20 09:56 UTC
rss
cveexploitswordpressplugininfo_disclosure
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
BackEvidence (2)Get the free brief by emailStart free trial
No card needed for the free brief.
Evidence trail (top sources)
top sources (2 domains)domains are deduped. counts indicate coverage, not truth.
2 top sources shown
limited source diversity in top sources
View all evidence
Overview

A medium-severity information disclosure vulnerability (CVE-2026-4020) in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites, is being actively exploited by threat actors.

Entities
Gravity SMTP
Score total
1.03
Momentum 24h
2
Posts
2
Origins
2
Source types
1
Duplicate ratio
0%
Why now
  • Active exploitation reported shortly after the vulnerability was patched.
  • High number of affected sites increases urgency for updates.
  • Attackers are targeting unauthenticated access, making all users vulnerable.
Why it matters
  • The vulnerability exposes sensitive credentials that can lead to further site compromise.
  • Gravity SMTP is widely used, increasing the potential impact of exploitation.
  • Prompt patching is critical to protect affected WordPress sites.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: medium
Recurring claims
  • An unauthenticated information disclosure vulnerability in Gravity SMTP WordPress plugin allows attackers to access sensitive data including API keys and OAuth tokens.
How sources frame it
  • Security News Sources: neutral
Consolidated reports confirm active exploitation of CVE-2026-4020 in Gravity SMTP plugin; urgent patching advised.
All evidence
All evidence
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
thehackernews · thehackernews.com · 2026-06-20 09:56 UTC
Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
bleepingcomputer_all · bleepingcomputer.com · 2026-06-19 20:25 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -
Showing 2 / 0
Top publishers (this list)
  • thehackernews (1)
  • bleepingcomputer_all (1)
Top origin domains (this list)
  • thehackernews.com (1)
  • bleepingcomputer.com (1)