A security update for the WordPress plugin Gravity SMTP has been available since late March, but many admins apparently have not yet deployed it. Security researchers at Wordfence are now warning of active attacks exploiting a vulnerability (CVE-2026-4020, risk level “medium”). All versions prior to 2.1.5 are affected.
The flaw lies in an insufficiently secured REST API endpoint. Without authentication, attackers can retrieve detailed system configurations and use them for further attacks. According to Wordfence, researchers have documented 17 million attack attempts. The plugin is used on around 100,000 active WordPress installations.
Admins should update their instances to version 2.1.5 immediately. Wordfence has published specific guidance in a blog post on detecting compromises, including IP addresses that indicate attacks.
Source: www.heise.de
