CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited

An unauthenticated information-disclosure flaw in the Gravity SMTP plugin (all versions through 2.1.4) lets an attacker dump the configured email-connector credentials (SMTP, SendGrid, Mailgun and similar API keys), and it is being mass-exploited (GitHub Advisory GHSA-jxfc-8wcq-xxcg; daily 06-21). Stolen mail-sending credentials enable downstream phishing from a trusted domain. Update the plugin and rotate every credential stored in it.