Security · June 18, 2026 · 2 min read

Update Gravity SMTP now, attackers are targeting unpatched sites

Attackers are hitting a Gravity SMTP flaw that can expose email service keys, secrets, and login tokens.

Reading

WPWithin

Update Gravity SMTP now. Attackers are actively probing this plugin for a flaw that can expose the keys and tokens your site uses to send email.

Gravity SMTP can expose your email service secrets

Wordfence reports active exploitation of a sensitive information exposure flaw, a bug that reveals data that should stay private, in the Gravity SMTP plugin. The bug lets attackers reach the site without logging in and pull system configuration details, plus API keys, secrets, and OAuth tokens, which are login tokens that connect the plugin to email services. Wordfence says its firewall has already blocked more than 17 million exploit attempts, so this is not a theoretical risk.

This affects WordPress sites that use Gravity SMTP and have not installed the fully patched release the vendor shipped on March 17, 2026. The plugin has about 100,000 active installations, and the risk matters most for any site that uses it to connect WordPress mail to a third-party service such as SMTP providers or cloud email platforms, because the exposed credentials can give attackers access to that email setup.

Update Gravity SMTP to the latest version now. After that, rotate any API keys, secrets, and OAuth tokens stored in the plugin, then test your site email and review the connected email account for unexpected activity.

End of article

Weekend Within · Free

If you found this useful, subscribe free.

The Weekend Within roundup ships every weekend. Six minutes. The WordPress news that matters, translated out of developer-speak. Unsubscribe any time.

↓ Read next

Check for rogue admins if you use OptinMonster, TrustPulse, or PushEngage

Security · 3 min