Patch now! Attacks on WordPress websites with Gravity-SMTP plugin

Currently, attackers are targeting WordPress websites with the Gravity-SMTP plugin and attacking instances. A security patch has been available since the end of this year, but has obviously not yet been installed universally.

Security researchers from Wordfence are warning of the attacks in a post. According to them, the vulnerability (CVE-2026-4020 "medium") has been known since March of this year. The repaired version 2.1.5 has also been available since then. All previous versions are vulnerable.

The researchers state that the plugin currently has around 100,000 active installations.

Unauthorized Access

The entry point for attackers is an insufficiently secured REST API endpoint. This allows them to access it without authentication to retrieve detailed system configurations via an HTTP GET request and use this information for further attacks.⁣

The security researchers state they have already documented 17 million attempted attacks. Admins should therefore act quickly and secure their instances. In their post, they provide detailed information about the vulnerability. Additionally, admins can find specific indicators of compromise (IoC), such as IP addresses, to identify already attacked systems.

(des)