Hackers mass-exploit Gravity SMTP, stealing keys from 100,000 WordPress sites via one unauthenticated request

Gravity SMTP, a WordPress email-related plugin, is getting hammered by attackers who can steal sensitive credentials with almost no effort. The core issue is brutally simple: a single unauthenticated HTTP request can expose API keys, OAuth tokens, and detailed system configuration data. The reporting frames the scale as mass exploitation, with the impact reaching about 100,000 WordPress sites.

Wordfence, the WordPress security firm owned by Defiant, says it has blocked more than 17 million exploit attempts targeting this Gravity SMTP flaw since the malicious activity started. That number matters because it signals the attackers are not testing quietly or opportunistically. They are scanning, probing, and repeating, and Wordfence is seeing enough traffic that the defense system is constantly working to keep compromised credentials from cascading into larger takeovers.

To understand why this is such a board-level problem, it helps to remember what happens after credentials leak. API keys and OAuth tokens are not just “data.” They are the keys to other systems and workflows, often with permissions that are invisible to the average site operator. If a token can be used to access email services, integrations, admin tooling, or connected APIs, the attacker can pivot from “we found a hole” to “we control the machine’s trusted identity.” And because the leak includes detailed system configuration data, attackers can tailor their next moves instead of guessing.

The operational reality for WordPress businesses and operators is that plugins are the software supply chain nobody fully governs. Many organizations run WordPress because it is fast to launch and easy to iterate, but they also end up relying on third-party plugin code that varies widely in maintenance quality. In this case, the weakness is in Gravity SMTP itself, and the exposure is to anyone who sends an unauthenticated HTTP request. That means the attacker does not need a login, does not need to brute-force credentials, and does not need to win a user’s trust. The barrier to entry is near zero.

Wordfence’s role is also a signal for decision-makers. Wordfence is a security firm operating in the same ecosystem it is defending, and being owned by Defiant underscores the commercialization of these defenses as an industry. When Wordfence reports blocking more than 17 million exploit attempts, that suggests widespread scanning and exploitation attempts across many sites, not a single targeted campaign. For executives, that turns what could be a “local incident” into an ecosystem risk: even if your own site has not been compromised yet, the internet pressure around WordPress plugins can increase the probability of compromise across your customer base, partners, or managed hosting environment.

There is also a regulatory and compliance angle that is increasingly hard to ignore. Credential exposure and unauthorized access can trigger breach notification obligations depending on jurisdiction, the nature of data impacted, and the affected systems. The Gravity SMTP flaw is explicitly about API keys, OAuth tokens, and system configuration data, which may or may not include personal data, but those artifacts can enable unauthorized actions that can lead to downstream data exposure. Even if the original vulnerability does not directly “steal user passwords,” credential leakage can still create audit problems: you may need to prove what was accessed, when it was accessed, and what compensating controls were applied.

The second-order implications for boards and leadership teams are about resilience, not just reaction. When exploit attempts are measured in the tens of millions and are triggered by a single unauthenticated request, patching and credential rotation become time-sensitive operational tasks, not routine housekeeping. Teams also need to think about how they monitor plugin-level risk: do they track plugin versions, enforce update windows, and have an incident response plan that includes rotating API keys and invalidating OAuth tokens? If not, the real risk is that an attacker who already extracted secrets can keep using them until they are revoked.

Finally, this is a reminder that the WordPress threat model is fundamentally different from traditional enterprise software procurement. In many organizations, the software stack is curated and controlled; in WordPress, it is modular and frequently updated by multiple parties, often without standardized governance. The Gravity SMTP vulnerability illustrates how quickly a single weakness can become an internet-wide credential harvesting problem. The strategic stake for executives who run WordPress at any scale is clear: credential exposure can turn into operational disruption, customer trust damage, and compliance churn, and the attackers appear to be moving fast enough that defenses have to assume this will not stay localized to a handful of sites.