You wouldn’t leave a spare key under the doormat in 2026. And yet, over 100,000 WordPress sites just did exactly that.
On March 30, Wordfence disclosed CVE-2026-4020 in Gravity SMTP, a plugin used to route email safely through WordPress. The flaw lets unauthenticated attackers pull configuration data, API keys, secrets, and OAuth tokens straight out of your site. The patch shipped months ago. Active exploitation is happening right now, confirmed by Wordfence, CrowdSec, and the WIU Cybersecurity Center on June 20, 2026.
That means your email provider token, your SMTP credentials, and possibly other plugin secrets are sitting in an attacker’s spreadsheet.
Why AI Changes the Stakes
Key theft used to mean manual phishing emails or slow credential-stuffing. In 2026, those stolen keys are weaponised at scale using AI.
Here is the math that should worry you: World Economic Forum data released at Davos 2026 found 87 percent of global executives now call AI-related vulnerabilities the fastest-growing cyber risk. Enterprises scaled generative AI across workflows 18 to 24 months faster than their security governance could catch up. Only one in three organisations deployed AI tools with no prior security validation.
Right now, an attacker with a fresh batch of API keys can use AI to craft personalised, context-aware phishing faster than a human operations team can respond. A leaked Gravity SMTP token gives them a legitimate-looking sender. A generative AI tool writes the follow-up email in perfect context. The victim clicks. That is not hypothetical. That is the current threat model.
Three Things to Do Today
First, check whether Gravity SMTP is active in your WordPress plugins. If it is, confirm it is patched. Wordfence said the patch is available; update immediately.
Second, rotate any API keys or OAuth tokens that pass through your WordPress email stack. Do not reuse the old ones anywhere else.
Third, audit which of your connected services actually need WordPress email routing. The more services tied to one plugin, the larger the blast radius if it leaks. If you do not need SMTP integration, remove it.
For site owners, plugin updates should happen the same day they are released. If you are running a business site, let that sink in: a single patched plugin is the difference between a clean audit and a data breach claim under your insurer’s cyber policy.
Enterprise AI deployment is now 18 to 24 months ahead of mature AI security governance. Attackers are exploiting that gap with stolen credentials and AI-generated social engineering. That is where we are right now.