Your WordPress Email Plugin May Be Handing Attackers the Keys to Your Site

If your site uses Gravity SMTP to handle transactional email, it is exposed to an actively exploited vulnerability right now. The flaw, a Sensitive Information Exposure weakness in a plugin with an estimated 100,000 active installations, was publicly disclosed on 30th March 2026. Attackers can extract sensitive information from the outside, anonymously, against any unpatched installation — no login, no account, no prior access required.

That is the operational reality your business is sitting in if Gravity SMTP is installed and has not been updated.

Unauthenticated Access Means Every Unpatched Site Is a Live Target

Most security incidents involve some level of prior access: a phished password, a compromised admin account, a brute-forced login. This flaw requires none of that. An attacker scanning the web for vulnerable Gravity SMTP installations can pull sensitive data without ever touching a login form, which is what makes “unauthenticated” the most consequential word in the disclosure.

Wordfence identified and disclosed the vulnerability through its Bug Bounty Programme, which pays researchers up to $1,200 per qualifying submission. That programme exists because plugin vulnerabilities are discovered constantly, and the gap between discovery and exploitation is shrinking. Once a flaw is public, attackers move fast.

The WP Maps Pro situation illustrates exactly how fast. A separate plugin vulnerability that allowed attackers to create full administrator accounts on targeted sites was exploited at a rate of 2,858 attacks in a single 24-hour window, with Wordfence blocking those attempts in that one day alone. Disclosure happens, automated scanners identify vulnerable installations across the web within hours, and attacks follow immediately. The Gravity SMTP flaw is confirmed as actively exploited, so the window for a quiet, low-risk update has already closed.

What happens after an attacker extracts sensitive information depends on what that information contains. SMTP credentials, API keys, and configuration data can give an attacker everything they need to escalate. Once they have administrative access to a WordPress site, the documented consequences include uploading webshells, altering site content, deploying backdoors, and pivoting into the wider hosting environment. A backdoor is particularly damaging because it survives a standard site recovery: you can restore a clean backup, update every plugin, and reset every password, and a well-placed backdoor persists through all of it. The attacker retains access after you believe the problem is resolved.

The Business Risk Goes Beyond the Technical Breach

A compromised WordPress site creates reputational and operational consequences that run separately from whatever the attacker does with the access they gain.

If your site collects customer data, processes enquiries, or handles any form of transaction, a breach creates disclosure obligations. Customer trust, once broken by a publicly known incident, is difficult to rebuild. Search engines and browsers flag compromised domains — Google can delist a site, or mark it as dangerous, based on malicious content or redirects injected by an attacker. If an attacker uses your SMTP credentials to send spam or phishing at volume, your email domain’s sender reputation is destroyed, which affects every legitimate email your business sends going forward.

The plugin itself is an email infrastructure tool. Gravity SMTP exists to manage how your WordPress site sends email: contact form notifications, order confirmations, password resets, customer communications. Compromised SMTP credentials threaten your sender reputation, your deliverability, and the integrity of every automated email your business sends — the damage extends well beyond the site itself.

Business owners often assume that because their site looks fine, it has not been touched. Attackers who install backdoors or harvest credentials have no reason to deface a site. A site that looks and functions normally can be actively compromised, and the absence of visible symptoms is not a reliable indicator of security.

The question worth asking is whether your current WordPress support arrangement includes proactive monitoring for vulnerabilities like this one, or whether you find out about active exploitation after the fact. If you manage your WordPress site yourself, or rely on a hosting provider’s standard support, the answer is almost certainly the latter. Hosting providers do not audit your installed plugins against live vulnerability disclosures, and they do not update third-party plugins on your behalf. The responsibility for keeping Gravity SMTP patched sits with whoever manages your site.

A plugin on 100,000 sites, with an unauthenticated exploit confirmed as active, is exactly the kind of exposure that does not wait for your next scheduled maintenance window. The sites that get hit are the ones where no one is watching.

---

If Gravity SMTP is installed on your WordPress site, I will check your installation, confirm whether you are running the patched version, and assess whether any indicators of compromise are already present. Given that exploitation of this vulnerability is confirmed and ongoing, waiting until your next scheduled update cycle carries a specific and named consequence: an attacker extracting sensitive data from your site, potentially including SMTP credentials that give them access to your email infrastructure. Contact The WordPress Guy to arrange a check now.