Gravity SMTP Plugin Flaw Exploited to Leak WordPress Secrets

Security researchers have detected active exploitation of a vulnerability in the popular Gravity SMTP WordPress plugin, allowing attackers to siphon sensitive configuration data from affected sites. The flaw, present in certain plugin iterations, leaks API keys, secrets, tokens, and server information — effectively handing over the keys to the kingdom for further compromise.

The exact vulnerability details and affected version numbers have yet to be fully disclosed, but the threat is considered severe due to the value of the data exposed. With API keys and authentication tokens in hand, attackers could pivot to cloud services, email providers, or other integrated platforms, escalating a site-level breach into a broader infrastructure compromise.

Initial analysis suggests the issue lies in how the plugin handles debug logs or error reporting, inadvertently exposing configuration details in response or log files. No CVSS score has been assigned yet, and indicators of compromise have not been publicly detailed by researchers, but site owners should inspect their logs for unusual access patterns or unauthorized data exfiltration.

The plugin developer has not yet released a patch, as of the latest update. Site administrators running Gravity SMTP are urged to disable the plugin temporarily or implement a web application firewall rule to block exploitation attempts until an official fix becomes available. Reviewing and rotating any exposed credentials is also recommended.

Attribution for the attacks remains unclear, but security experts warn this is a low-hanging fruit for both targeted and opportunistic threat actors given WordPress's massive market share. Organizations using the plugin should treat this as an active threat requiring immediate attention.