A WordPress SMTP plugin vulnerability exposed Amazon Web Services, Google, and Mailjet API credentials to unauthenticated attackers who launched 17 million exploitation attempts in early June 2026, according to security researchers at News4Hackers. The flaw in Gravity SMTP's REST API access controls allowed attackers to retrieve detailed system configuration reports containing cloud service authentication tokens without logging in. Exploitation peaked at 4 million malicious requests within 24 hours as automated scanning tools targeted the vulnerability.
TL;DR: An authentication bypass in the Gravity SMTP WordPress plugin exposed enterprise cloud service API credentials to 17 million automated attacks in early June 2026, forcing agencies to rotate all third-party email service keys even after patching.
The vulnerability resides in Gravity SMTP's access control mechanism, which fails to enforce authentication checks on a specific API endpoint. When attackers include a particular configuration parameter in an unauthenticated HTTP request, the plugin generates a system configuration report containing server software versions, directory structures, active WordPress extensions, and cloud service integration credentials. These reports expose API tokens for AWS Simple Email Service, Google Cloud SMTP, and Mailjet, services commonly used by agencies managing white-label WordPress development projects for multiple clients.
Attack Campaign Timeline
Security researchers observed exploitation attempts intensify during the first week of June 2026, with attack volume climbing from baseline scanning traffic to sustained campaigns targeting the Gravity SMTP endpoint. The 24-hour peak of 4 million requests occurred as threat actors incorporated the vulnerability into automated credential-harvesting workflows. The exposed configuration reports provide attackers with a complete operational blueprint: plugin versions, directory paths, database prefixes, and active SMTP provider credentials.
Agencies managing WordPress installations face credential exposure risk extending beyond individual sites. A single compromised API key for AWS SES or Google Workspace can grant attackers access to email infrastructure serving dozens of client domains. Threat actors who intercept these tokens can impersonate legitimate email services to distribute phishing campaigns or malware through trusted infrastructure, bypassing SPF and DKIM authentication controls that normally flag spoofed senders.
Credential Rotation Requirements
Patching the Gravity SMTP vulnerability stops future unauthorized access to configuration endpoints, but agencies cannot determine which API credentials may have been harvested before patches deployed. Security experts advise complete rotation of all third-party email service API secrets for any WordPress installation running Gravity SMTP between the vulnerability's introduction and June 2026 patches. This rotation extends beyond WordPress credentials to the cloud service provider accounts themselves, agencies must invalidate and regenerate tokens in AWS IAM, Google Cloud Console, and Mailjet account dashboards.
The persistence risk stems from automated credential scraping. Even installations patched within hours of vulnerability disclosure may have exposed credentials to scanning bots that archive configuration data for later exploitation. Rotated credentials prevent attackers from using archived tokens to hijack email infrastructure weeks or months after initial exposure.
Agencies deploying WordPress security baselines across client portfolios should audit Gravity SMTP installations for unpatched versions and verify that post-patch credential rotation occurred. The configuration report exposure includes SMTP authentication details that remain valid until explicitly revoked at the provider level, regardless of WordPress-side plugin updates.
Access Control Audit Implications
The Gravity SMTP vulnerability demonstrates how authentication bypass flaws in WordPress plugins can expose credentials for external services that agencies integrate across multi-client infrastructure. Unlike vulnerabilities that compromise a single WordPress database or user account, SMTP credential exposure grants access to email sending infrastructure that often serves multiple domains under shared API quotas. A single exposed Google Workspace API token can compromise email deliverability for an entire agency client roster if that token controls the sending limits for all connected sites.
Agencies building white-label WordPress multi-tenant architectures should implement credential isolation strategies that limit cross-client exposure when individual sites suffer plugin vulnerabilities. Service accounts scoped to individual client domains prevent a single compromised WordPress installation from exposing SMTP credentials that control email infrastructure for unrelated clients. This containment approach mirrors the staging-production parity principles that prevent configuration drift failures from cascading across environments.
The incident follows a pattern of WordPress plugin vulnerabilities that expose third-party service credentials rather than WordPress data itself. Recent compromises targeting CDN credentials and Awesome Motive plugins demonstrated how attackers use WordPress plugin access to compromise adjacent infrastructure. Agencies must audit not only WordPress user permissions but also the external service tokens that plugins store and transmit through API endpoints.
Reading Between the Lines
White-label agencies managing WordPress deployments for multiple clients face compounding credential exposure risk when widely-used plugins suffer authentication bypass vulnerabilities. The Gravity SMTP incident requires immediate action even from agencies that patched promptly, credential rotation at the cloud provider level is non-negotiable, and the manual effort scales linearly with client count. An agency managing 50 client sites with individual AWS SES accounts must rotate 50 sets of credentials across AWS IAM, WordPress configuration, and deployment documentation.
The 17 million exploitation attempts over a two-week window signal that attackers have fully automated Gravity SMTP scanning and credential harvesting. Agencies cannot assume that low-profile client sites escaped targeting, the attack volume indicates indiscriminate scanning of WordPress installations regardless of site traffic or prominence. Any installation running vulnerable Gravity SMTP versions between early June and patch deployment should be treated as compromised for credential rotation purposes.
This vulnerability reinforces the operational burden of third-party dependencies in white-label WordPress stacks. Agencies building reusable SMTP integration patterns across client projects should evaluate whether credential management practices contain exposure when individual plugins suffer authentication flaws. The incident cost extends beyond patching time to include credential rotation labor, client communication about temporary email disruptions during token regeneration, and audit documentation proving that all affected installations received both patches and fresh credentials.