Attackers Actively Exploiting Sensitive Information Exposure Vulnerability in Gravity SMTP Plugin (opens in new tab)

On March 30th, 2026, we publicly disclosed a Sensitive Information Exposure vulnerability in Gravity SMTP, a WordPress plugin with an estimated 100,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to retrieve detailed system configuration data and, critically, any API keys, secrets, and OAuth tokens configured for the plugin’s email integrations. The vendor released the fully patched version on March 17th, 2026, and we originally disclosed this vulner...