Defiant warns that attackers are exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin to access full system reports from vulnerable sites. The exposed data can include server details, WordPress configuration, and sensitive API keys and tokens, so admins should update to Gravity SMTP 2.1.5 and rotate any exposed credentials. #GravitySMTP #CVE-2026-4020 #Defiant
Keypoints
- Gravity SMTP versions before 2.1.5 are affected by CVE-2026-4020.
- The flaw allows unauthenticated users to retrieve sensitive system report data.
- The exposed data can reveal API keys, tokens, and email service credentials.
- Defiant has observed active exploitation since early May.
- Site owners should update the plugin and rotate any exposed secrets immediately.