Gravity SMTP WordPress plugin flaw (CVE-2026-4020) exposes API keys

incidentopenJun 17, 2026 — Jun 20, 2026

A critical flaw in the Gravity SMTP WordPress plugin is being actively exploited, exposing live API keys to unauthenticated attackers Intelligence briefing updated Jun 20, 2026

CVE-2026-4020 7.5

Root sourcewww.wordfence.com

Timeline Coverage

Swipe to explore timeline

#2 Jun 20, 2026, 10:46 AM

thehackernews.com
Gravity SMTP WordPress Plugin flaw exposes API keys, urging patch
#1 Jun 17, 2026, 08:12 PM

securityonline.info
Critical flaw in Gravity SMTP (CVE-2026-4020) exposes API keys