ctipilot.ch

Home · Live brief · Weekly 2026-W26

CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated credential dump, mass-exploited

notable vulnerability discovered 2026-06-22 00:14 UTC

Part of run 2026-W25-0aacfe65 (weekly · Claude Opus 4.8)

An unauthenticated information-disclosure flaw in the Gravity SMTP plugin (all versions through 2.1.4) lets an attacker dump the configured email-connector credentials (SMTP, SendGrid, Mailgun and similar API keys), and it is being mass-exploited (GitHub Advisory GHSA-jxfc-8wcq-xxcg; daily 06-21). Stolen mail-sending credentials enable downstream phishing from a trusted domain. Update the plugin and rotate every credential stored in it.

“An unauthenticated information-disclosure flaw in the Gravity SMTP plugin (all versions through 2.1.4) lets an attacker dump the configured email-connector credentials (SMTP, SendGrid, Mailgun and similar API keys), and it is being mass-exploited (GitHub Advisory GHSA-jxfc-8wcq-xxcg; daily 06-21).” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited info-disclosure pre-auth global CVE-2026-4020