CVE-2026-4020 in the Gravity SMTP WordPress plugin is under confirmed mass exploitation — over 17 million attempts logged by Wordfence, with a single-day spike exceeding 4 million requests. A single unauthenticated HTTP GET request to an exposed REST API diagnostic endpoint returns live API keys and OAuth tokens for Amazon SES, Google, Mailjet, Resend, and Zoho. Any organization running Gravity SMTP prior to version 2.1.5 must treat all stored third-party credentials as compromised immediately and rotate them regardless of whether exploitation is confirmed in local logs.