Hackers Are Actively Exploiting a Critical Info Disclosure Bug in Gravity SMTP WordPress Plugin
A serious security vulnerability in the popular WordPress plugin Gravity SMTP is currently being exploited in the wild by threat actors. The flaw, classified as an unauthenticated information disclosure vulnerability, puts tens of thousands of WordPress websites at immediate risk. With over 100,000 active installations, the plugin represents a wide and attractive attack surface for cybercriminals looking to harvest sensitive data without needing any login credentials whatsoever.
If your website relies on Gravity SMTP for email delivery and configuration, this is not a threat you can afford to ignore. Understanding the nature of the vulnerability, how attackers are leveraging it, and what steps you need to take right now is critical to keeping your site and your users safe.
What Is Gravity SMTP and Why Is It a Target?
Gravity SMTP is a WordPress plugin developed by the team behind Gravity Forms. It is designed to help website administrators configure reliable SMTP email delivery directly from the WordPress dashboard, making it easier to connect to services like Gmail, Outlook, SendGrid, and other email providers. Because it sits at the intersection of site configuration and email credentials, it handles a great deal of sensitive information — including API keys, OAuth tokens, and SMTP login details.
This makes it an exceptionally attractive target. If an attacker can extract the data stored or exposed by this plugin without needing to authenticate, they gain potential access to email accounts, communication pipelines, and in some cases broader application credentials. That is precisely what this vulnerability allows.
Understanding the Unauthenticated Information Disclosure Vulnerability
The vulnerability at the center of this threat is an unauthenticated information disclosure flaw. In plain terms, this means that an attacker does not need a username, password, or any other form of authentication to trigger the bug and retrieve sensitive information from an affected website.
Unauthenticated vulnerabilities are among the most dangerous class of security flaws in the WordPress ecosystem because they require no prior foothold on the target system. A malicious actor can simply send a crafted HTTP request to a vulnerable site and receive sensitive data in return. There is no brute-forcing of credentials, no social engineering, and no need to compromise an admin account first.
In the case of Gravity SMTP, the disclosed information can include configuration data and credentials stored as part of the plugin's email setup process. Once an attacker has access to these details, the potential for follow-on attacks — including account takeover, data exfiltration, and spam or phishing campaign abuse — becomes significant.
Active Exploitation: What the Threat Looks Like in Practice
Security researchers have confirmed that this is not merely a theoretical risk. Threat actors are already actively scanning for and exploiting this vulnerability across the web. Automated tools and botnets are commonly used in these kinds of campaigns, allowing attackers to probe thousands of WordPress installations within hours of a vulnerability becoming known or exploitable.
The typical attack chain begins with automated reconnaissance — mass scanning WordPress sites to identify those running a vulnerable version of Gravity SMTP. Once a vulnerable target is identified, the attacker sends the specially crafted request to extract the disclosed information. Depending on what credentials or tokens are exposed, the attacker may then pivot to accessing connected email services, exfiltrating user data, or using the compromised email account to distribute malicious content.
The speed at which this kind of exploitation occurs after disclosure is a stark reminder of why patch management must be treated as an urgent priority rather than a routine maintenance task.
How to Protect Your WordPress Site Right Now
If you are running Gravity SMTP on your WordPress site, the most important step you can take is to update the plugin to the latest available version immediately. Plugin developers typically release a patched version when a vulnerability of this severity is disclosed, and applying that update closes the attack vector entirely.
- Update Gravity SMTP immediately. Log in to your WordPress dashboard, navigate to Plugins, and check for available updates. Apply the latest version without delay.
- Audit your stored credentials. After updating, review the email credentials and API keys stored within the plugin. If you suspect your site may already have been compromised, rotate all connected credentials, including SMTP passwords, OAuth tokens, and API keys.
- Enable a web application firewall (WAF). A WAF can help detect and block exploit attempts targeting known vulnerabilities, providing an additional layer of defense even before patches are applied.
- Review your server and access logs. Look for unusual or unexpected requests that may indicate a scanning or exploitation attempt has already occurred against your site.
- Enable automatic plugin updates. For security-critical plugins, enabling automatic updates ensures you receive patches as soon as they are released, minimizing your exposure window.
The Broader Lesson for WordPress Security
The Gravity SMTP vulnerability is a sharp reminder of a recurring challenge in the WordPress ecosystem: popular plugins expand functionality, but they also expand the attack surface of every site that installs them. With more than 60,000 plugins available in the official repository alone — and many more distributed independently — keeping every component of a WordPress installation patched and secure is a genuine operational challenge.
Site owners and developers should adopt a security-first mindset that includes regular vulnerability scanning, prompt patch application, least-privilege access principles, and monitoring for indicators of compromise. Relying on a plugin being "reputable" or "widely used" is not a substitute for active security hygiene. As this incident demonstrates, even well-regarded plugins from established developers can carry serious flaws.
Stay Informed and Stay Patched
The active exploitation of the Gravity SMTP information disclosure vulnerability is a developing situation, and the threat landscape can evolve quickly. Security teams and independent researchers continue to monitor for new attack variants and additional indicators of compromise. Website administrators are strongly encouraged to follow updates from the plugin's developers, reputable WordPress security firms, and threat intelligence sources.
The bottom line is straightforward: if you run Gravity SMTP, update now, audit your credentials, and verify your site has not already been targeted. In the face of active exploitation, every hour of delay increases risk. Proactive, immediate action is the only appropriate response to a vulnerability of this nature being weaponized at scale.