Hackers Actively Exploiting Unauthenticated Info-Disclosure Bug in Gravity SMTP WordPress Plugin

What Happened

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites, according to a BleepingComputer report. The flaw requires no login credentials — an unauthenticated HTTP request is sufficient to trigger the disclosure. At time of writing, active exploitation is confirmed in the wild.

Gravity SMTP is a dedicated email delivery plugin designed to route WordPress transactional mail through providers like SendGrid, Mailgun, Resend, or Gmail. It stores provider credentials — API keys, OAuth tokens, and SMTP passwords — in the WordPress database as part of its configuration.

Why It Matters

Unauthenticated information disclosure in an email delivery plugin is among the worst-case plugin vulnerability classes. Here's the blast radius:

Credential exposure. SMTP API keys and OAuth tokens extracted from the plugin's configuration can be used immediately to send bulk email from your domain — phishing campaigns, spam, or account takeover lures — with no further access to your server required.

Domain reputation damage. Email sent through your authenticated sending infrastructure will pass SPF and DKIM checks. Spam or phishing sent this way can blacklist your domain within hours, disrupting all legitimate outbound email.

Pivot to connected services. If the exposed credentials belong to a provider account (e.g., a Mailgun or SendGrid API key with broad permissions), attackers can access contact lists, templates, suppression lists, or billing — entirely outside your WordPress environment.

Scale of exposure. With 100,000 active installations and exploitation already underway, automated scanners are almost certainly sweeping for vulnerable endpoints. Sites that haven't patched are being targeted now, not eventually.

What to Do

1. Update Gravity SMTP immediately. Open your WordPress admin panel, go to Plugins → Installed Plugins, and apply any pending Gravity SMTP update. If no update is yet available from the plugin vendor, deactivate and delete the plugin temporarily until a patch ships — a broken email delivery is recoverable; exposed API keys are not.

2. Rotate all exposed credentials now, regardless of whether you believe you were hit. Log into each connected email provider (Mailgun, SendGrid, Resend, Gmail OAuth, etc.) and revoke the key or token currently configured in Gravity SMTP. Issue a new key and reconfigure the plugin only after patching.

3. Audit your sending logs. In your email provider's dashboard, review sent-message logs for the past 72 hours. Look for unusual volume, unfamiliar recipient domains, or message content you didn't originate.

4. Check your server access logs for unexpected POST or GET requests to paths associated with Gravity SMTP's settings or diagnostic endpoints. Evidence of automated probing is a strong indicator your credentials were harvested even if no obvious abuse has occurred yet.

5. If you manage multiple WordPress sites, treat every site running Gravity SMTP as compromised until patched and audited. A single compromised instance affecting a shared sending domain or IP pool can drag down the reputation of all sites behind it.

This is a patch-and-rotate situation, not a wait-and-see one. Active exploitation means the window between "unpatched" and "compromised" is hours at most.