TechnologyGlobal (GL)

Hackers Actively Exploit Unauthenticated Flaw in Gravity SMTP WordPress Plugin

First reported: 7h agoUpdated: 7h ago1 source covering

⚠️ Content Notice

This story relates to technology topics. Product specifications, pricing, availability, and company information may change after publication. HeadlineSift's AI-generated summaries are for informational purposes only. Verify current details with the company or manufacturer.

📋 Summary

Threat actors are actively exploiting an unauthenticated information disclosure vulnerability in Gravity SMTP, a WordPress plugin installed on approximately 100,000 websites. The flaw allows attackers to access sensitive information without requiring any login credentials, making it particularly dangerous at scale. Reported by BleepingComputer on June 19, 2026, the exploitation is already underway, meaning site owners face an immediate and active threat rather than a theoretical one. The incident highlights ongoing risks posed by vulnerabilities in widely-used WordPress plugins, which collectively represent a major attack surface for the global web ecosystem. Website administrators using Gravity SMTP are urged to patch or mitigate the vulnerability immediately.

💡 Why It Matters

With 100,000 active installations, a remotely exploitable, unauthenticated vulnerability in Gravity SMTP represents a significant threat to a large number of websites and their users. Active exploitation means the window for safe remediation is already closing, and affected sites may already be compromised. This story underscores the persistent security risks in the WordPress plugin ecosystem, which powers a substantial portion of the internet.

Impact: HIGHConfidence: LOW

👍 Positive Impact

Public disclosure of the vulnerability enables website administrators to take immediate protective action, and security researchers and vendors can accelerate patch development and distribution.

👎 Negative Impact

Website owners using Gravity SMTP are at immediate risk of data exposure. Visitors and customers of affected sites may have their information compromised. The unauthenticated nature of the flaw means no barrier exists to exploitation, increasing the likelihood of widespread harm.

Affected Groups

Group	Impact	Direction	Description
WordPress site owners using Gravity SMTP	high	negative	Approximately 100,000 sites are potentially vulnerable to active exploitation of this information disclosure bug.
Website visitors and customers	high	negative	End users of affected sites may have sensitive information exposed without their knowledge.
Cybersecurity professionals	medium	neutral	Security teams face increased workload responding to and mitigating active exploitation campaigns.
Threat actors / hackers	medium	positive	Attackers are actively exploiting the vulnerability, potentially gaining unauthorized access to sensitive data.

Confidence Reasoning

Only a single source covers this story, with no official statements or corroborating reports. The clustering confidence is 0/100, and no independent verification is available. Core facts appear credible given the source (BleepingComputer), but details remain limited.

Neutrality Assessment

Coverage comes from a single, generally reputable cybersecurity news outlet (BleepingComputer). The reporting appears factual and technical in nature with no obvious bias. However, the lack of multiple sources or official statements limits the ability to fully assess neutrality or accuracy.

⚠️ Risk Warning

Active exploitation is reported; website administrators should treat this as an urgent security matter requiring immediate action.

Sources & Attribution

BleepingComputer

841 article

Original Articles (1)

Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

BleepingComputer·Bill Toulas·Friday, June 19, 2026 8:25 PM

Read original →

AI-generated analysis using claude-sonnet-4-6 • 7h ago • About HeadlineSift