CVE-2026-4020 in the Gravity SMTP WordPress plugin (all versions prior to 2.1.5) exposes an unauthenticated REST API endpoint that returns live API credentials in plaintext for connected email services including Amazon SES, Google, Mailjet, Resend, and Zoho. Mass automated exploitation is confirmed, with over 17 million recorded attempts and peaks near 4 million requests per day. Any organization running an unpatched installation should treat all stored email provider credentials as fully compromised, regardless of whether exploitation has been observed in logs.