Threat actors are actively exploiting CVE-2026-4020, a medium-severity information disclosure flaw in the Gravity SMTP WordPress plugin, installed on approximately 100,000 sites. This vulnerability allows unauthenticated attackers to extract sensitive data, including configuration data, API keys, secrets, and OAuth tokens. Users of the plugin are advised to update immediately to the patched version.