22 June 2026
Reference: CVE-2026-4020
1. What is being reported?
The Gravity SMTP plugin, used to send emails from WordPress sites, has a security weakness. It has a part of its system that anyone can access without logging in, which reveals a large amount of detailed information about your website and server setup, including secret keys used to connect services.
2. What this means in plain English
If your website uses this plugin and is not updated, attackers could gather enough information to compromise your site or other connected systems. This could lead to data theft, website downtime, or misuse of your email services.
3. Could this affect a small business?
Any small business, charity, or club using WordPress with the Gravity SMTP plugin version 2.1.4 or earlier is at risk. If you do not use this plugin, or use a newer fixed version, you are probably not affected.
4. What to do now
- Check if your WordPress site uses the Gravity SMTP plugin and note its version.
- If using version 2.1.4 or earlier, update the plugin immediately to the latest version provided by the supplier.
- Ask your website manager or IT provider to verify that no sensitive information has been exposed.
- Review your API keys and change any that might have been exposed as a precaution.
5. Ask your IT provider
Can you confirm if our WordPress site uses the Gravity SMTP plugin, and if so, has it been updated to fix the known security vulnerability CVE-2026-4020?
6. Bottom line
Update the Gravity SMTP plugin now to prevent attackers from accessing sensitive system information.
Information based on CISA KEV, NVD, and reputable security news reporting.