A security flaw in the popular Gravity SMTP WordPress plugin (CVE-2026-4020) allowed anyone on the internet — no login required — to read a website’s private email API credentials just by visiting a specific web address. The exposed data included API keys for Amazon SES, Google, Mailjet, Resend, and Zoho mail services, along with OAuth tokens, database table names, and server configuration details. Attackers who grabbed those keys could send spam or phishing emails from your domain or use the configuration data to plan further attacks.
Wordfence researchers, who discovered the flaw, say they blocked over 17 million exploitation attempts — with attack traffic peaking at 4 million requests per day in early June. That scale of targeting means many unpatched sites were likely hit before the fix was available. If your site uses Gravity SMTP and you have not updated it recently, assume your email API credentials may have been read.
How to check if you’re affected
Affected versions of Gravity SMTP are any version before 2.1.5. To check: in your WordPress dashboard go to Plugins → Installed Plugins, find Gravity SMTP, and look at the version number. If it shows anything older than 2.1.5, update it immediately. After updating, rotate any API keys or OAuth tokens you had configured under the plugin’s email settings — change them in your email provider’s dashboard (Amazon SES, Google Workspace, Mailjet, etc.) and paste the new ones back into the plugin.