Home Cybersecurity Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Cybersecurity

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

June 20, 2026 2 min read

Cybersecurity experts have uncovered a concerning vulnerability in the Gravity SMTP WordPress plugin that allows hackers to expose sensitive API keys. The flaw was discovered by researchers at NetworkUstad, a leading cybersecurity news outlet, who have warned WordPress site owners to urgently update the plugin to the latest version.

Gravity SMTP Plugin Vulnerability Exposes API Keys

The Gravity SMTP plugin, which is used by over 200,000 WordPress websites to manage email delivery, contains a security bug that can be exploited by attackers to gain access to the plugin’s API keys. These API keys are used to authenticate connections to external email services, and if compromised, can allow hackers to send malicious emails from the affected websites.

How the Vulnerability Works

The vulnerability lies in the way the Gravity SMTP plugin handles and stores its API keys. Researchers found that the plugin was storing these sensitive credentials in the WordPress database in plain text, without any encryption or obfuscation. This makes it relatively easy for attackers to locate and extract the API keys, especially if they have already gained some level of access to the WordPress site.

Potential Impact and Affected Websites

The exposure of API keys through this vulnerability can have serious consequences for website owners. Hackers can use the compromised credentials to send spam, phishing, or malware-laden emails from the affected websites, potentially damaging their reputation and putting their users at risk. the stolen API keys could be sold on the dark web, fueling further cybercrime activities.

Gravity SMTP Plugin Developer Response

The Gravity SMTP plugin developers have acknowledged the vulnerability and have released a patch to address the issue. In a statement, the company said, “We take the security of our plugin and the websites that rely on it very seriously. As soon as we were made aware of this vulnerability, we worked quickly to develop a fix and release an update to protect our users.”

Recommended Actions for WordPress Site Owners

WordPress site owners who are using the Gravity SMTP plugin are strongly advised to update to the latest version immediately. The update includes a fix for the vulnerability and will ensure that the API keys are properly secured. it is recommended to change any existing API keys that may have been compromised as a result of this flaw.

Frequently Asked Questions

How can I protect my WordPress site from the Gravity SMTP plugin vulnerability?

To protect your WordPress site from the Gravity SMTP plugin vulnerability, update the plugin to the latest version immediately. This will patch the security flaw that allows hackers to exploit the plugin and expose your API keys.

What is the Gravity SMTP WordPress plugin vulnerability?

The Gravity SMTP WordPress plugin vulnerability is a security flaw that allows hackers to access and expose the API keys used by the plugin. This can lead to sensitive data being compromised on your WordPress site.

Why are hackers exploiting the Gravity SMTP plugin bug?

Hackers are exploiting the Gravity SMTP plugin vulnerability because it allows them to gain unauthorized access to the API keys used by the plugin. This enables them to potentially steal sensitive data or use the API keys for malicious purposes.

What are the best practices for securing WordPress plugins?

The best practices for securing WordPress plugins include keeping all plugins updated to the latest version, disabling or removing any unused plugins, and regularly monitoring your site for suspicious activity. It's also important to use strong passwords and two-factor authentication for your WordPress admin account.

Author

All Posts
πŸ“¬

Enjoyed this article?

Subscribe to get more networking & cybersecurity content delivered daily β€” curated by AI, written for IT professionals.

πŸ”’ No spam. Unsubscribe anytime.

βœ“ Free βœ“ Daily updates

Related Articles

Online Shoppers Cybersecurity - Cybersecurity And Online Shoppers: How To Buy Safely In A Digital World
Cybersecurity

Cybersecurity and Online Shoppers: How to Buy Safely in a Digital World

Online shopping has become a daily habit, but it also comes with hidden risks. This article explains why online shoppers are targeted, the psychology behind shopping scams, and practical steps to shop safely in the digital world.

Sara Ahmad 6 min read
Bitlocker Encrypted Hard Drive - Bitlocker Encrypted Hard Drive: What Network Professionals Need To Know In 2026
Cybersecurity

BitLocker Encrypted Hard Drive: What Network Professionals Need to Know in 2026

Why BitLocker fails on enterprise networks and how to fix it with SD-WAN policies and IPsec tuning.

Mujtaba Shams 2 min read
It Managed Services
Cybersecurity

The Role of IT Managed Services London in Reducing Cyber Risk

In the first half of 2026, London businesses reported 39% more ransomware incidents than the same period in 2025, according to the National Cyber Security Centre’s mid-year threat update. For small and mid-sized firms, the average cost of a breach now sits at Β£168,000 β€” enough to sink a 30-person company within weeks. The role...

Imran Khan 7 min read
Subscribe
Subscribe