Security Arsenal is actively tracking a critical unauthenticated information disclosure vulnerability impacting the Gravity SMTP plugin for WordPress. With over 100,000 active installations, this plugin is currently being scanned and exploited in the wild by threat actors seeking to harvest sensitive email transmission credentials.
For defenders, the urgency is high: this is not a theoretical risk. Successful exploitation allows attackers to retrieve SMTP credentials (hostnames, usernames, and passwords/API keys) without authentication. This data serves as a beachhead for email system compromise, enabling widespread phishing campaigns or spamming operations originating from your trusted domain. Immediate remediation and credential rotation are required.
Technical Analysis
Affected Product: Gravity SMTP Plugin for WordPress
Vulnerability Type: Unauthenticated Information Disclosure
Attack Mechanics: The vulnerability exists within the plugin's handling of debugging or configuration endpoints. Improper access controls allow unauthenticated HTTP requests to retrieve logs or configuration files. These artifacts contain the plaintext credentials used to connect to external SMTP providers (e.g., SendGrid, Gmail, Postmark, or internal mail relays).
Exploitation Requirements:
- No user interaction or authentication required.
- A simple HTTP GET request to a specific vulnerable endpoint triggers the disclosure.
Impact:
- Credential Theft: Full compromise of SMTP authentication tokens.
- Trust Abuse: Attackers can send emails appearing to come from your organization.
- Bypass of Security Controls: Emails sent via the compromised SMTP server may bypass traditional email gateways that whitelist the organization's infrastructure.
Detection & Response
Defenders must assume that if the plugin was active during the active exploitation window, credentials have been exfiltrated. Detection involves identifying scanning activity against the plugin and confirming the plugin version on assets.
SIGMA Rules
---
title: Potential Gravity SMTP Information Disclosure Attempt
id: 9a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects unauthenticated access attempts to Gravity SMTP plugin paths often associated with information disclosure vulnerabilities.
references:
- https://www.bleepingcomputer.com/news/security/hackers-exploit-info-disclosure-bug-in-gravity-smtp-wordpress-plugin/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.initial_access
- attack.t1190
logsource:
category: web
product: apache
# Note: This rule also applies to nginx if mapped to the web category
detection:
selection:\ c-uri|contains:
- '/wp-content/plugins/gravity-smtp/'
c-uri|contains:
- 'debug'
- 'log'
- 'config'
condition: selection
falsepositives:
- Legitimate administrative access to the plugin dashboard (authenticated)
level: high
---
title: WordPress Plugin Enumeration via User-Agent
id: b2c3d4e5-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects scanning for WordPress plugins using automated tools which often precede exploitation of specific plugin bugs like Gravity SMTP.
author: Security Arsenal
date: 2026/04/06
tags:
- attack.discovery
- attack.t1595
logsource:
category: web
product: null
detection:
selection:\ c-useragent|contains:
- 'wpscan'
- 'nikto'
- 'xenu'
selection_uri:\ c-uri|contains: 'gravity-smtp'
condition: all of selection*
falsepositives:
- Authorized penetration testing activities
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for Gravity SMTP access patterns indicating potential exploitation
// Map your specific WordPress source tables to CommonSecurityLog or Syslog
CommonSecurityLog
| where RequestURL contains "gravity-smtp"
| where RequestURL has_any ("debug", "log", "status", "test")
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, UserAgent, RequestMethod
| summarize count() by SourceIP, RequestURL, bin(TimeGenerated, 5m)
| order by count_ desc
Velociraptor VQL
-- Hunt for Gravity SMTP plugin installation and check version on disk
SELECT FullPath, Size, Mtime
FROM glob(globs='/*/wp-content/plugins/gravity-smtp/*.php')
WHERE FullPath =~ 'gravity-smtp'
-- Note: Further parsing of the plugin file headers may be required to extract exact version numbers
Remediation Script (Bash)
#!/bin/bash
# Remediation script for Gravity SMTP Vulnerability
# Checks for the plugin and attempts to identify version for triage
echo "Checking for Gravity SMTP plugin..."
# Find plugin directories
PLUGIN_DIRS=$(find /var/www/html -type d -name "gravity-smtp" 2>/dev/null)
if [ -z "$PLUGIN_DIRS" ]; then
echo "Gravity SMTP plugin not found on this host."
exit 0
fi
echo "WARNING: Gravity SMTP plugin detected."
for DIR in $PLUGIN_DIRS; do
echo "Location: $DIR"
# Attempt to read version from main plugin file or readme
if [ -f "$DIR/gravity-smtp.php" ]; then
grep -i "Version" "$DIR/gravity-smtp.php" | head -n 1
fi
done
echo ""
echo "ACTION REQUIRED:"
echo "1. Update Gravity SMTP to the latest patched version immediately via WP Admin or WP-CLI."
echo "2. If an update is not yet available, DISABLE the plugin immediately:"
echo " wp plugin deactivate gravity-smtp --path=/path/to/wordpress"
echo "3. ROTATE SMTP CREDENTIALS: Assume the SMTP password/API key is compromised."
Remediation
1. Immediate Patching:
Navigate to your WordPress Dashboard > Plugins and update the Gravity SMTP plugin to the latest available version immediately. If you manage multiple sites, use WP-CLI:
wp plugin update gravity-smtp --path=/path/to/wp
2. Credential Rotation (CRITICAL): Simply patching the plugin is not sufficient. The vulnerability exposes credentials in plaintext. You must:
- Log in to your SMTP provider (e.g., Google Workspace, Microsoft 365, SendGrid, AWS SES).
- Generate new SMTP passwords or API keys.
- Update the configuration in the WordPress plugin with the new credentials.
- Revoke the old credentials immediately.
3. Audit Mail Logs: Review the sent items of the compromised email account. Look for unauthorized bulk emails or suspicious activity that occurred after the plugin was installed or updated.
4. Vendor Advisory: Refer to the official Gravity Forms/Gravity SMTP advisory for the specific patched version number and detailed changelog.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.