2 reports · 2 sources · tracked since 16h ago EPSS 3%

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

AI synthesis Hackers exploit unauthenticated info disclosure bug (CVE-2026-4020) in Gravity SMTP WordPress plugin on 100k sites, exposing API keys.

vulnerability CVE-2026-4020

Why this ranks Transparent score: 14

coverage +6 source breadth +4 urgency +0 freshness +4

What changed

Coverage timeline

Every report remains linked to its original publisher.

BleepingComputer Jun 19, 2026, 8:25 PM UTC First observed

Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin ↗

Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites. [...]
The Hacker News Jun 20, 2026, 9:56 AM UTC Coverage expanded

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys ↗

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unau...