Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens

The article reports that attackers are actively exploiting CVE-2026-4020, an information disclosure flaw in the Gravity SMTP WordPress plugin (≤2.1.4) that exposes a large system report, including configuration data, API keys, secrets, and OAuth tokens, via an unauthenticated REST API endpoint.[1][2][5] Wordfence and other observers note widespread in-the-wild scanning and exploitation, with over 400 distinct attacking IPs seen targeting this bug.[5][8][9] From a CyberSE.AI perspective, exposed API keys and tokens can compromise connected email, cloud, or third‑party AI services, enabling attackers to impersonate applications, pivot into AI workloads, or exfiltrate data those services can access. Organizations using WordPress as a front end or integration point for AI systems should prioritize patching, log review, and secret rotation, and include such plugin-origin risks in an AI Security Readiness Assessment to ensure API key management, token scoping, and incident response processes account for similar web-to-AI data leakage paths.