A security flaw in the widely used Gravity SMTP WordPress plugin is under active exploitation, enabling unauthenticated attackers to extract SMTP credentials from vulnerable websites without any login, according to BleepingComputer.
The vulnerability, tracked as CVE-2024-3967, is an unauthenticated information disclosure bug. By sending specially crafted HTTP requests to affected sites, attackers can retrieve SMTP server usernames, passwords, API keys, and other connection details stored in the plugin's configuration. No valid account or authentication is required to trigger the flaw.
Gravity SMTP is installed on more than 100,000 WordPress sites, giving the vulnerability a broad potential footprint. Security researchers have confirmed that exploitation is already underway, with threat actors scanning the internet at scale to identify and harvest credentials from unpatched installations.
Why This Flaw Carries Elevated Risk
On paper, an information disclosure vulnerability may not sound as alarming as remote code execution. In practice, however, the specific data exposed here — SMTP login credentials — makes this flaw particularly dangerous.
Stolen SMTP credentials allow attackers to send emails through a legitimate, trusted domain. Phishing campaigns originating from a real corporate mail server are significantly harder for recipients and spam filters to detect. Compromised API keys tied to third-party email delivery services could also grant broader platform access beyond a single website. Security researchers further warn that credentials harvested from one service are frequently tested against others, meaning a single exposure can cascade into multiple breaches.
Patch Available — Immediate Action Required
The Gravity SMTP development team has issued a fix. Website administrators should update the plugin to version 1.7.2 or later through the WordPress dashboard without delay.
For site operators who cannot apply the patch immediately, the following steps are recommended:
- Update promptly. Navigate to Plugins in the WordPress admin panel and install Gravity SMTP version 1.7.2 or newer.
- Rotate SMTP credentials. Change the password for the email account configured in the plugin. This invalidates any credentials that may have already been exfiltrated.
- Audit email account activity. Review logs for unauthorized login attempts, unexpected sent messages, or changes to forwarding rules.
- Apply interim mitigations. If patching must be delayed, consider deactivating the plugin temporarily or deploying web application firewall rules to block access to the affected endpoints.
A Recurring Pattern in WordPress Security
This incident underscores a well-established dynamic in the WordPress ecosystem. WordPress core itself maintains a strong security track record, but the platform's extensibility through tens of thousands of third-party plugins creates an enormous and fragmented attack surface. Any individual site's security posture is effectively defined by its least secure plugin.
The Gravity SMTP case is a reminder for IT teams to maintain a current inventory of installed plugins, subscribe to vulnerability disclosure feeds, and establish patching workflows capable of responding within hours rather than days. With over 100,000 sites potentially affected and confirmed exploitation activity in the wild, the interval between public disclosure and mass credential harvesting continues to narrow. Speed of response remains the single most important factor in limiting damage.
據 BleepingComputer 報道,廣泛使用的 Gravity SMTP WordPress 外掛程式存在一個安全漏洞,正遭到主動利用,允許未經驗證的攻擊者從受影響的網站提取 SMTP 憑證,而無需任何登入。
該漏洞(追蹤編號為 CVE-2024-3967)是一個未經身份驗證的資訊洩露漏洞。攻擊者可透過向受影響網站傳送特製的 HTTP 請求,來獲取儲存於外掛程式設定檔中的 SMTP 伺服器使用者名稱、密碼、API 金鑰及其他連線詳細資料。觸發此漏洞無需有效帳戶或身份驗證。
Gravity SMTP 被安裝在超過 10 萬個 WordPress 網站上,使此漏洞的潛在影響範圍非常廣泛。安全研究人員已確認相關利用活動正在進行中,威脅行為者正在大規模掃描互聯網,以識別並竊取未安裝修補程式的網站的憑證。
此漏洞為何具有更高風險
理論上,資訊洩露漏洞聽起來可能不如遠端代碼執行那麼令人擔憂。然而在實踐中,此處洩露的特定數據——SMTP 登入憑證——使得此漏洞格外危險。
竊取的 SMTP 憑證允許攻擊者透過一個合法且受信任的域名來發送電郵。源自真實企業郵件伺服器的網絡釣魚活動,對收件人和垃圾郵件過濾器來說,偵測難度會大幅增加。與第三方電郵遞送服務關聯的遭入侵 API 金鑰,也可能授予超出單一網站的更廣泛平台存取權限。安全研究人員進一步警告,從一個服務竊取的憑證經常被用於針對其他服務進行測試,意味著單一洩露可能引發多重入侵事件。
修補程式已發佈 — 需要立即採取行動
Gravity SMTP 開發團隊已發佈修復程式。網站管理員應立即透過 WordPress 儀表板,將外掛程式更新至 1.7.2 或更高版本。
對於無法立即套用修補程式的網站運營者,建議採取以下步驟:
- 及時更新。 前往 WordPress 管理面板中的「外掛程式」部分,安裝 Gravity SMTP 1.7.2 或更新版本。
- 輪換 SMTP 憑證。 更改在外掛程式中設定的電郵帳戶密碼。這將使任何可能已被竊取的憑證失效。
- 審計電郵帳戶活動。 檢查日誌,查看是否有未經授權的登入嘗試、意外發送的郵件或轉發規則變更。
- 實施臨時緩解措施。 如必須延遲修補,可考慮暫時停用外掛程式,或部署網頁應用程式防火牆規則以阻止存取受影響的端點。
WordPress 安全中的一個反覆出現的模式
此事件突顯了 WordPress 生態系統中一個確立已久的動態。WordPress 核心本身保持著良好的安全記錄,但該平台透過數萬個第三方外掛程式所具備的可擴展性,創造了一個龐大且碎片化的攻擊面。任何個別網站的安全態勢,實質上是由其最不安全的外掛程式所決定。
Gravity SMTP 事件提醒 IT 團隊,應維護一份最新的已安裝外掛程式清單,訂閱漏洞披露資訊,並建立能在數小時內(而非數日)作出響應的修補工作流程。隨著超過 10 萬個網站可能受影響,以及已確認的野外利用活動,從公開披露到大規模憑證竊取之間的時間間隔正在縮短。響應速度仍然是限制損害最重要的因素。