Urgent Warning: Hackers Actively Exploiting Critical Flaw in Gravity SMTP WordPress Plugin
- Nishadil
- June 20, 2026
- 0 Comments
- 4 minutes read
- 5 Views
- Save
- Follow Topic
Gravity SMTP Bug Under Attack: Your WordPress Site Might Be Leaking Sensitive Data
Bad news for WordPress site owners using Gravity SMTP: a critical information disclosure vulnerability is being actively exploited. Hackers are using this flaw to snoop on sensitive server data, potentially paving the way for full site compromise. If you're running versions 1.0 or 1.0.1, you absolutely need to update immediately to 1.0.2.
Alright, let's get straight to it. If you're running a WordPress site and happen to be using the Gravity SMTP plugin, I've got some rather urgent news for you. There's a nasty information disclosure vulnerability – essentially, a security hole that spills secrets – that hackers are actively, right this very minute, exploiting in the wild. It’s not just a theoretical threat; it’s happening, and your site could be next if you're not careful.
So, what exactly does this mean for you? Well, this particular flaw, found in versions 1.0 through 1.0.1 of the Gravity SMTP plugin, allows pretty much anyone to poke around and pull out sensitive configuration details from your server. We're talking about things like file paths on your system and, in some cases, even your encryption keys. Think of it like someone being able to peek through your window and see where you keep all your important documents – not a good feeling, right?
The way they're doing this is quite clever, in a malicious sort of way. Attackers are making a specific HTTP request to an unprotected endpoint within the plugin – specifically, the /?rest_route=/gravity-smtp/v1/log endpoint. This was meant for logging, but crucially, it wasn't properly secured. What it reveals is incredibly useful for an attacker: the full path to your log file and, potentially, an encryption key. And here's the kicker: those log files can contain all sorts of juicy, sensitive data, including email addresses, mail server connection details, and other pieces of information that could easily be used for further, more devastating attacks, perhaps even a full site compromise.
This isn't a niche problem either. According to the stats from WordPress.org, the Gravity SMTP plugin has over 9,000 active installations. That's a lot of websites potentially at risk! Security researchers at Patchstack were the ones who initially flagged this issue, and thankfully, the plugin's developers have been quick to respond with a fix. But as always, it’s up to individual site owners to take action.
So, what's the bottom line? If your WordPress site is running Gravity SMTP, you absolutely, positively need to update it immediately. The patched version, 1.0.2, closes this particular loophole. Don't drag your feet on this; leaving your site vulnerable could lead to a full compromise, data theft, or even your site being used to launch attacks on others. Just head over to your WordPress dashboard, go to 'Plugins,' and hit 'Update' for Gravity SMTP. If you don't see an update, you're likely already on a safe version or a version prior to the affected ones.
In the grand scheme of things, this is yet another stark reminder of why keeping all your WordPress plugins, themes, and core installation up-to-date is non-negotiable. Cyber threats are constant, and staying proactive is your best defense. Stay safe out there!
- UnitedStatesOfAmerica
- News
- Technology
- Security
- TechnologyNews
- Vulnerability
- ComputerSecurity
- CybersecurityThreat
- Wordpress
- WebsiteSecurity
- Infosec
- ActiveExploitation
- ActivelyExploited
- InformationDisclosure
- Plugin
- WordpressSecurity
- GravitySmtp
- AvadaBuilder
- GravitySmtpVulnerability
- PluginExploit
- WordpressUpdate
- PatchstackReport
- WordpressPluginBug
Editorial note: Nishadil may use AI assistance for news drafting and formatting. Readers can report issues from this page, and material corrections are reviewed under our editorial standards.
