A medium-severity vulnerability in the Gravity SMTP WordPress plugin, tracked as CVE-2026-4020, is being exploited by hackers to expose sensitive data, including API keys and OAuth tokens, on approximately 100,000 sites1. This information disclosure flaw allows unauthenticated attackers to extract configuration data and secrets, potentially leading to further malicious activities. The vulnerability has a CVSS score of 5.3, indicating a moderate level of severity. The fact that this bug is being actively exploited underscores the importance of prompt patching and highlights the need for website administrators to prioritize updates based on their specific exposure and evidence of exploitation. This vulnerability expansion of the active attack surface matters to security practitioners because it necessitates a thorough review of their WordPress plugin inventory and update protocols to prevent potential breaches.