Skip to content
TL;DR Wordfence blocked 17M+ attempts to exploit a Gravity SMTP bug that leaks API keys and system data from WordPress sites without authentication. CVE-2026-4020 exposes a REST API endpoint with no authentication check, returning 365 KB of JSON containing email service credentials, database details, and the full software stack to anyone who asks Wordfence blocked 17M+ attempts to exploit a Gravit...
Hackers are mass-exploiting a Gravity SMTP flaw to steal API keys from 100,000 WordPress sites | Huntaegis