CVE-2026-4020 is an actively exploited unauthenticated information disclosure vulnerability in the Gravity SMTP WordPress plugin, allowing attackers to retrieve API keys and credentials stored by the plugin without authentication. Any organization running this plugin on a public-facing WordPress site should patch immediately and rotate all credentials stored or processed by the plugin.