Hackers exploit info disclosure bug in Gravity SMTP WordPress plugin

Security researchers have detected active exploitation of a critical unauthenticated information disclosure vulnerability in Gravity SMTP, a popular WordPress plugin designed to streamline email delivery. The flaw, tracked as CVE-2024-44000, affects thousands of websites that rely on the tool to route outgoing communications. Because the vulnerability allows remote attackers to access sensitive configuration logs without requiring a password or elevated privileges, it represents a high-risk entry point for broader infrastructure compromise.

WordPress serves as the backbone for over 40% of the internet, a dominance that makes its plugin ecosystem a prime target for cybercriminals. Gravity SMTP is a relatively recent addition to the suite of tools developed by Rocketgenius, the team behind the widely used Gravity Forms. While the plugin was built to solve the chronic issue of WordPress emails failing to reach their destination by integrating with professional SMTP services, its security architecture inadvertently left a door open. Historically, SMTP plugins are high-value targets because they act as a bridge between the public-facing web server and private mail infrastructure, holding the keys to both.

The mechanics of this specific exploit center on an exposed log file that the plugin uses to track email traffic for troubleshooting. In vulnerable versions, these logs were stored in a directory accessible via a direct URL, failing to implement proper access control checks. By requesting these log files, an attacker can extract SMTP hostnames, usernames, passwords, and API keys for services like SendGrid, Mailgun, or AWS SES. Because these credentials are often reused across other corporate systems, a leak in a WordPress plugin can grant an adversary lateral movement into a company’s broader cloud environment or internal databases.

The implications for the digital marketing and cybersecurity industries are significant. Beyond the immediate threat of data theft, compromised SMTP credentials allow threat actors to hijack a brand’s legitimate email reputation. Once an attacker gains control of a site's mail server settings, they can distribute phishing campaigns or malware that bypass traditional spam filters because the emails originate from a trusted, authenticated domain. This "shadow mailing" can lead to a domain being blacklisted globally, causing long-term damage to a company’s deliverability and customer trust that can take months of forensic work to repair.

From a regulatory perspective, this incident highlights the growing scrutiny on "supply chain" security within the open-source and modular web ecosystem. As data privacy laws like GDPR and CCPA impose heavy fines for the exposure of sensitive credentials, the responsibility falls on site administrators to maintain rigorous patching schedules. However, the Gravity SMTP exploit underscores a recurring structural weakness: many administrators install plugins for convenience but lack the automated monitoring systems to detect unauthorized access to underlying log files. This creates a "set it and forget it" mentality that hackers are increasingly adept at exploiting.

Moving forward, the industry should watch for a shift toward "zero-log" defaults in WordPress development. Developers are under increasing pressure to ensure that sensitive diagnostic data is either encrypted at rest or stored outside the public web root. We should also expect more hosting providers to implement server-level "virtual patching" that blocks known malicious request patterns for CVE-2024-44000 before they hit the application layer. For organizations using Gravity SMTP, immediate migration to version 1.0.6 or higher is mandatory, along with a total rotation of all mail service API keys and passwords, as any data captured prior to the patch remains compromised.