Attackers Harvest API Keys From 100,000+ WordPress Sites

Hackers Exploit Gravity SMTP WordPress Flaw to Steal API Keys From 100,000+ Sites

• Hackers Actively Exploit WordPress Plugin Bug to Steal Email API Keys
• Gravity SMTP Flaw Under Attack as Thousands of Sites Face Data Theft Risk
• WordPress Sites Targeted in Widespread Exploitation of Critical SMTP Bug
• Security Alert: Gravity SMTP Vulnerability Being Used in Real-World Attacks
• Attackers Harvest API Keys From 100,000+ WordPress Sites in New Campaign
• Gravity SMTP Zero-Auth Bug Sparks Massive WordPress Security Crisis
• Email Systems at Risk as Hackers Exploit WordPress Plugin Vulnerability

A newly uncovered wave of cyberattacks is targeting a critical vulnerability in the popular Gravity SMTP WordPress plugin, with hackers actively exploiting the flaw to extract sensitive configuration data, including email service API keys and authentication tokens.

Security researchers say the vulnerability tracked as CVE-2026-4020 affects all versions of Gravity SMTP up to 2.1.4 and is already being widely abused in the wild. The plugin, installed on more than 100,000 WordPress websites, plays a key role in handling email delivery for contact forms, notifications, and transactional messages.

How the Attack Works

The security flaw stems from an improperly protected REST API endpoint that can be accessed without authentication. Attackers can send specially crafted requests to retrieve detailed system reports from affected websites.

These reports may include sensitive information such as server configuration details, WordPress settings, plugin data, and most critically, API keys and OAuth tokens tied to major email providers like Amazon SES, Google, Mailjet, Resend, and Zoho.

Once stolen, these credentials can be used to hijack email delivery systems, launch phishing campaigns, or gain deeper access into compromised websites.

Exploitation Already Underway

Cybersecurity firms report that exploitation activity has surged rapidly since public disclosure of the flaw. Security tools have already blocked millions of malicious requests targeting vulnerable WordPress installations, suggesting widespread automated scanning across the internet.

Researchers warn that attackers are now treating the vulnerability as “background noise,” meaning it has been absorbed into large-scale automated exploit campaigns targeting WordPress plugins at scale.

Patch Released, But Risk Remains

The issue has been patched in Gravity SMTP version 2.1.5, and security experts are urging all website administrators to update immediately. However, many sites remain exposed due to delayed updates or unmaintained installations.

Security analysts also recommend rotating any API keys or email credentials that may have been exposed, even after patching, to prevent ongoing abuse.

Why WordPress Plugins Remain a Major Target

The incident highlights a recurring security challenge in the WordPress ecosystem: plugins often have privileged access to sensitive site data, making them attractive targets for attackers.

Email-related plugins are particularly high-risk because they store integration credentials that can be abused to bypass spam filters, impersonate organizations, or pivot into larger infrastructure attacks.

A Growing Pattern of Plugin Exploits

This latest campaign follows a broader trend of attackers focusing on widely used WordPress plugins rather than the core platform itself. Security experts say these tools often become the weakest link in website security due to delayed patching and inconsistent maintenance.

As exploitation continues, thousands of website owners are being urged to check their installations and apply updates immediately to prevent credential theft and potential site compromise.

The attack serves as another reminder that even trusted plugins can become entry points for large-scale cyber intrusions when security controls fail.