Threat actors are exploiting an unauthenticated information disclosure vulnerability in the WordPress plugin Gravity SMTP, active on 100,000 sites.

The flaw is tracked as CVE-2026–4020 and received a medium severity rating. It affects all versions of the plugin from 2.1.4 and older and has been addressed in version 2.1.5, released on March 17.

WordPress security company Defiant is warning that hackers are actively exploiting the vulnerability. The company’s Wordfence firewall has blocked more than 17 million attempts against protected customers.