Gravity SMTP WordPress Plugin (CVE‑2026‑4020) Information‑Disclosure Flaw Exposes API Keys
What It Is — A medium‑severity (CVSS 5.3) information‑disclosure vulnerability in the Gravity SMTP WordPress plugin allows unauthenticated attackers to read the plugin’s configuration file and harvest secrets such as API keys, OAuth tokens, and other credentials.
Exploitability — The flaw is publicly known, has been actively exploited in the wild, and a proof‑of‑concept exists.
Affected Products — Gravity SMTP plugin for WordPress (estimated >100 k installations).
Why It Matters for Compliance & Audit Readiness
- Vendor‑risk exposure – The plugin is a third‑party component; its compromise highlights the need for continuous vendor‑management controls under SOC 2 CC6.1.
- Audit evidence – Demonstrating that you inventory, assess, and monitor third‑party software is essential evidence for a defensible SOC 2 audit.
- Enterprise buyer expectations – Prospects now demand proof that all external dependencies are vetted and continuously monitored before signing contracts.
Recommended Actions
- Immediately update Gravity SMTP to the patched version released after CVE‑2026‑4020.
- Rotate any API keys, secrets, or OAuth tokens that were configured through the plugin.
- Conduct a third‑party component inventory and map each to SOC 2 vendor‑management controls (CC6.1).
- Deploy continuous monitoring of plugin versions and known vulnerabilities to generate audit‑ready evidence.
Source: The Hacker News