A critical information disclosure vulnerability in the Gravity SMTP WordPress plugin is being actively exploited by hackers, putting over 100,000 websites at risk. The bug allows threat actors to access sensitive information without authentication, potentially leading to further attacks. The Gravity SMTP plugin is widely used for configuring SMTP settings in WordPress, making it a prime target for malicious actors. Exploitation of this vulnerability can have severe consequences, including email account compromise and unauthorized access to sensitive data. The vulnerability is particularly concerning given the large number of sites using the affected plugin1. This exploitation highlights the importance of keeping WordPress plugins up to date, as well as implementing additional security measures to prevent such attacks. So what matters to practitioners is that they must immediately review their WordPress configurations and update the Gravity SMTP plugin to prevent potential exploitation and protect their sites from information disclosure.
Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin
⚠️ Critical Alert
Why This Matters
Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites.
References
- BleepingComputer. (2026, June 19). Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin. BleepingComputer. https://www.bleepingcomputer.com/news/security/hackers-exploit-info-disclosure-bug-in-gravity-smtp-wordpress-plugin/
Original Source
BleepingComputer
Read original →