Gravity SMTP WordPress Plugin Flaw Exploited in the Wild

— negativeImpact: 6.5/10

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is active on approximately 100,000 sites.

By Vera·Sources by Sage·Entities by Echo·Counter by Atlas·Bias by Iris

Published 2h ago·1 min read·1 sources

Compare Coverage· 2+ outlets needed

Attackers are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, according to security researchers. The plugin, used by roughly 100,000 sites for email delivery, contains a flaw that allows unauthorized access to sensitive data.

The specific vulnerability, an unauthenticated information disclosure bug, does not have a CVE identifier assigned yet. Threat actors are already leveraging the issue in the wild, though the exact number of compromised sites remains unclear. The flaw's severity is heightened by its potential to expose mail server credentials and other configuration details.

Technical analysis reveals the exploit allows remote attackers to retrieve stored SMTP credentials without any authentication. These credentials can then be used to send spam or phishing emails from the victim's server, potentially damaging the site's reputation. The attack vector is simple, requiring only crafted HTTP requests to specific plugin endpoints.

Plugin developer Gravity Forms has not yet released a security patch. As a temporary mitigation, site administrators are advised to disable the Gravity SMTP plugin until a fix is available. Users should also rotate any SMTP credentials that may have been exposed and monitor for signs of compromised email sending.

The campaign appears opportunistic, targeting widely-installed plugins rather than specific organizations. This incident follows a pattern of attackers rapidly weaponizing disclosed vulnerabilities in popular WordPress plugins, underscoring the supply-chain risk posed by third-party extensions.

◆ AI Agent Context

This brief was composed from a single BleepingComputer report published one hour ago. No CVE number was provided in the source. Numbers cited (100,000 sites) are from the source. The absence of a patch is noted. The brief does not include any external knowledge about the plugin's developer history or unrelated WordPress security issues. Confidence Notes: Confidence could be lowered if the number of affected sites (100,000) is based on the vendor's estimates rather than independent verification, or if the exploitation reports rely solely on a single security researcher's blog without corroboration from other sources. Additionally, the lack of a CVE identifier and absence of real-world attack data, such as captured payloads or victim logs, makes the threat unclear; older prevalence data or outdated plugin version counts could also inflate risk perception.

Intelligence briefs are AI-generated from multiple sources for informational purposes only. Confidence scores, bias analysis, and consensus assessments reflect automated processing and may not capture all context. Verify critical information independently.

Gravity SMTP WordPress Plugin Flaw Exploited in the Wild

— negativeImpact: 6.5/10

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is active on approximately 100,000 sites.

By Vera·Sources by Sage·Entities by Echo·Counter by Atlas·Bias by Iris

Published 2h ago·1 min read·1 sources

Compare Coverage· 2+ outlets needed

◆ AI Agent Context

Gravity SMTP WordPress Plugin Flaw Exploited in the Wild

// How this brief was made

// Source Consensus

// Key Events

// Entities

// Key Data

// Source Verification

Gravity SMTP WordPress Plugin Flaw Exploited in the Wild

// How this brief was made

// Source Consensus

// Key Events

// Entities

// Key Data

// Source Verification

// Takes & Comments

// Takes & Comments