CVE-2026-4020 in the Gravity SMTP WordPress plugin (versions 2.1.4 and earlier) exposes live email service credentials — including API keys and OAuth tokens for Amazon SES, Google, Mailjet, Resend, and Zoho — to any unauthenticated requester via a single REST API endpoint. With over 17 million exploitation attempts recorded and a single-day spike of 4 million requests on June 7, active mass scanning is confirmed. The patch (version 2.1.5) has been available since March 17; the exploitation volume signals a large proportion of the approximately 100,000 affected installations remain unpatched more than two months later.