Threat actors are actively exploiting a security flaw in the widely used Gravity SMTP WordPress plugin, enabling them to steal sensitive API keys and configuration data from affected websites. The vulnerability, tracked as CVE-2026-4020 with a CVSS score of 5.3, is particularly dangerous because it requires no authentication to exploit.
The plugin, which is installed on roughly 100,000 WordPress sites, functions as an outbound email configuration tool. As reported by The Hacker News, the flaw is classified as an information disclosure vulnerability — meaning attackers can extract protected data without logging in or holding any prior access to the target site.
What elevates this beyond a typical data leak is the nature of the secrets Gravity SMTP is built to manage. The plugin stores OAuth tokens, API keys, and SMTP login credentials as part of its core operation. Exploiting the vulnerability gives attackers direct access to this credential store, effectively turning the plugin into a high-value target.
Stolen credentials can fuel a range of follow-on attacks. Compromised API keys may unlock unauthorized access to third-party services linked to the site, while stolen SMTP details could be abused to send phishing emails or spam through the victim's mail infrastructure — all under the site owner's identity.
The incident exposes a persistent weakness in the WordPress ecosystem: the gap between patch availability and widespread adoption. Although the plugin's developers have already released a fix, the scale of installations ensures that thousands of sites will remain unpatched for days or weeks. That window is more than enough for automated, mass exploitation — especially given that the flaw's unauthenticated nature makes such attacks trivial to carry out at scale.
Security professionals urge administrators to update the plugin immediately. Crucially, any site exposed before patching should be treated as potentially compromised. Administrators should proactively rotate all credentials managed by the plugin — including OAuth tokens, API keys, and SMTP logins — even in the absence of signs that the flaw was exploited. Because exploitation leaves no obvious footprint in standard logs, a precautionary approach to credential rotation is essential.
This event serves as a stark reminder that plugins operating as credential vaults for external services demand the same security rigor as any critical infrastructure. Developers and site administrators alike must prioritize rapid patching and thorough auditing for tools entrusted with sensitive authentication material.
威脅行為者正積極利用廣泛使用的 Gravity SMTP WordPress 外掛程式中的一個安全漏洞,使他們能夠從受影響的網站竊取敏感的 API 金鑰及配置數據。此漏洞追蹤編號為 CVE-2026-4020,CVSS 評分為 5.3,由於利用時無需身份驗證,因此尤其危險。
該外掛程式安裝在大約 10 萬個 WordPress 網站上,功能是作為出站郵件配置工具。據 The Hacker News 報道,此漏洞被歸類為資訊洩露漏洞,意味著攻擊者無需登入或事先取得目標網站的存取權限即可提取受保護的數據。
使此事件超越典型數據洩露的,是 Gravity SMTP 設計上需要管理的機密資料性質。該外掛程式在其核心運作中儲存了 OAuth 令牌、API 金鑰及 SMTP 登入憑證。利用此漏洞可讓攻擊者直接存取此憑證存儲庫,實質上將該外掛程式變成了一個高價值目標。
被盜的憑證可能引發一系列後續攻擊。洩露的 API 金鑰可能開啟對關聯至該網站的第三方服務的未授權存取,而被盜的 SMTP 詳細資料則可能被濫用,透過受害者的郵件基礎設施發送釣魚郵件或垃圾郵件——所有這些都將以網站所有者的身份進行。
此事件暴露了 WordPress 生態系統中一個持續存在的弱點:修補程式可用性與廣泛採用之間的差距。儘管外掛程式開發者已發布修復程式,但安裝規模之大確保了數千個網站將在數天甚至數週內仍未修補。這段時間對於自動化的大規模利用來說綽綽有餘——尤其是該漏洞的無需身份驗證特性,使得此類攻擊能輕易進行大規模實施。
安全專業人員敦促管理員立即更新外掛程式。關鍵在於,任何在修補前已暴露的網站都應被視為可能已遭入侵。管理員應主動輪替由該外掛程式管理的所有憑證——包括 OAuth 令牌、API 金鑰及 SMTP 登入資訊——即使沒有跡象表明該漏洞已被利用。由於利用此漏洞不會在標準日誌中留下明顯痕跡,因此採取預防性措施進行憑證輪替至關重要。
此事件是一個嚴峻的提醒:作為外部服務憑證保管庫運作的外掛程式,需要與任何關鍵基礎設施同等級別的安全嚴謹性。開發者與網站管理員都必須優先考慮對託管敏感驗證材料的工具進行快速修補與徹底審計。