CVE-2026-4020 in the Gravity SMTP WordPress plugin is an unauthenticated information disclosure vulnerability that allows any attacker to retrieve live API credentials for connected email services — Amazon SES, Google, Mailjet, Resend, and Zoho — with a single HTTP GET request. Wordfence has blocked over 17 million exploitation attempts since May 2026, confirming active large-scale credential harvesting. The fix is available in version 2.1.5; all connected API credentials must be treated as compromised and rotated regardless of current patch status.