GRAVITY SMTP PLUGIN VULNERABILITY EXPLOITED ON 100K SITES

■ Vulnerability Details The flaw allows attackers to access sensitive information without requiring authentication. The vulnerability affects the Gravity SMTP plugin, a popular email delivery solution for WordPress sites. ■ Active Exploitation Security researchers have confirmed that the bug is currently being exploited in the wild. The unauthenticated nature of the vulnerability significantly lowers the barrier to attack, as threat actors need no credentials or access to a compromised account. ■ Scale of Impact With roughly 100,000 active installations, the plugin's widespread adoption means a substantial number of websites face potential exposure. The exact information disclosed by the vulnerability has not been fully detailed in initial reports, though information disclosure flaws typically expose configuration details, API keys, or user data. ■ Immediate Action Required Website administrators using Gravity SMTP should prioritize updating to a patched version if available. Given the active exploitation, delays in patching increase the risk of data compromise. ■ Security Implications This incident underscores ongoing risks in the WordPress plugin ecosystem. While WordPress remains a target for attackers due to its market dominance, third-party plugins often introduce security gaps. Users should maintain an inventory of installed plugins, monitor security advisories, and apply updates promptly. Plugin developers and the WordPress community continue grappling with balancing functionality and security. Regular security audits and responsible disclosure practices remain critical for reducing such vulnerabilities.