Hackers Are Actively Exploiting a Critical Vulnerability in Gravity SMTP
A serious security flaw in the popular WordPress plugin Gravity SMTP is currently being exploited in the wild, putting more than 100,000 active websites at risk. The vulnerability, classified as an unauthenticated information disclosure bug, allows threat actors to access sensitive data without needing any valid credentials. For site owners and administrators relying on this plugin to manage their WordPress email delivery, the risk is both immediate and significant.
In this article, we break down exactly what the vulnerability is, how attackers are exploiting it, which sites are affected, and — most importantly — what steps you should take right now to protect your WordPress installation.
What Is Gravity SMTP and Why Is It Widely Used?
Gravity SMTP is a WordPress plugin developed by the team behind Gravity Forms, one of the most trusted form-building tools in the WordPress ecosystem. Gravity SMTP is designed to give website owners granular control over how their WordPress site sends emails, offering integrations with popular email service providers such as Gmail, Outlook, SendGrid, Mailgun, and others.
Because email deliverability is a persistent challenge for WordPress sites — with default PHP mail often landing in spam folders — plugins like Gravity SMTP have gained widespread adoption among developers, agencies, and businesses. Its association with the reputable Gravity Forms brand helped it quickly reach an install base of over 100,000 active sites, making any security flaw within it a high-priority concern for the broader WordPress community.
Understanding the Unauthenticated Information Disclosure Vulnerability
The flaw at the center of this security incident is categorized as an unauthenticated information disclosure vulnerability. This type of vulnerability is particularly dangerous because it does not require the attacker to be logged in to WordPress — or even have a user account on the site — in order to extract sensitive information.
In practical terms, this means any remote party who knows the right request to send to a vulnerable site can potentially retrieve confidential data exposed by the plugin. Depending on the context, this information could include API keys, authentication tokens, or configuration details stored by the plugin as part of its email service integrations. Credentials of this nature could then be leveraged to compromise connected third-party services, enable spam campaigns, or facilitate further intrusion into the affected site.
Security researchers monitoring active exploitation have confirmed that threat actors are not merely scanning for vulnerable sites — they are already using the flaw to extract data from unpatched installations at scale.
How Threat Actors Are Exploiting the Flaw
The exploitation pattern observed in this campaign is characteristic of mass automated scanning attacks. Threat actors deploy bots that sweep large portions of the internet looking for WordPress installations running a vulnerable version of Gravity SMTP. Once a vulnerable target is identified, the attacker sends a specially crafted HTTP request that triggers the information disclosure endpoint, and the site responds by leaking sensitive configuration data.
Because the attack requires no authentication, there is no login attempt to detect, no failed password to flag, and no account to trace. This makes the attack particularly stealthy and difficult to catch through conventional login-monitoring security practices. Sites with weak logging configurations or no active web application firewall may not even realize they have been compromised until downstream damage — such as unauthorized email sending or API quota exhaustion — becomes apparent.
Which Versions of Gravity SMTP Are Affected?
Site administrators should check their currently installed version of Gravity SMTP immediately. The vulnerability affects versions of the plugin prior to the patched release issued by the Gravity Forms development team. If your site is running an outdated version of Gravity SMTP, it should be considered actively at risk given the confirmed exploitation activity in the wild.
It is also worth noting that simply having the plugin installed but not actively configured does not eliminate the risk, as the vulnerable code may still be reachable regardless of whether the plugin's full functionality is in use.
How to Protect Your WordPress Site Right Now
If you are running Gravity SMTP on any WordPress site, the following steps should be treated as urgent:
- Update Gravity SMTP immediately. Navigate to your WordPress dashboard, go to Plugins, and check for available updates. Apply the latest version of Gravity SMTP as soon as possible. The patched version addresses the unauthenticated information disclosure vulnerability and should be installed without delay.
- Rotate any exposed credentials. If your site was running a vulnerable version of the plugin and had third-party email service providers configured, assume that those API keys and tokens may have been exposed. Revoke and regenerate credentials for any connected services such as SendGrid, Mailgun, Gmail OAuth, or Outlook immediately.
- Audit your site logs. Review your server access logs and WordPress activity logs for unusual or unexpected requests that may indicate your site was already targeted. Look for unfamiliar IP addresses making repeated requests to your site's REST API or admin-ajax endpoints.
- Deploy a Web Application Firewall (WAF). Tools such as Wordfence, Patchstack, or Cloudflare's WAF can help detect and block exploit attempts in real time, including attacks targeting known plugin vulnerabilities. Many of these services push virtual patches that protect sites even before an official plugin update is applied.
- Enable automatic plugin updates. For security-critical plugins, enabling automatic background updates ensures that your site benefits from patches as soon as they are released, reducing the window of exposure between disclosure and remediation.
The Broader Lesson: WordPress Plugin Security Is an Ongoing Responsibility
The Gravity SMTP incident is a timely reminder that no plugin — regardless of how reputable its developer or how large its user base — is immune to security vulnerabilities. The WordPress plugin ecosystem is one of the most targeted attack surfaces on the web, precisely because a single flaw in a widely deployed plugin can be exploited across hundreds of thousands of sites simultaneously.
Site owners often underestimate the risk posed by outdated plugins, treating updates as a lower-priority maintenance task rather than a security imperative. But as this case illustrates, threat actors are actively monitoring vulnerability disclosures and moving quickly to exploit them before the majority of site owners have applied patches.
Adopting a security-first mindset — one that includes regular updates, active monitoring, credential hygiene, and layered defenses — is no longer optional for anyone running a WordPress site in a production environment. The cost of a breach, whether measured in data loss, reputational damage, or service disruption, far exceeds the time investment required to stay current with plugin security.
Final Thoughts
The active exploitation of the Gravity SMTP information disclosure vulnerability is a developing situation that demands immediate attention from every WordPress site owner using the plugin. Update now, rotate your credentials, review your logs, and put proactive security measures in place. The threat is real, it is ongoing, and the window to act before damage occurs is narrow. Stay informed, stay patched, and treat your WordPress security as the critical infrastructure it truly is.