A significant vulnerability in a widely used WordPress plugin is being actively exploited by attackers to steal sensitive credentials and system information from websites. The flaw, tracked as CVE-2026-4020, affects the Gravity SMTP plugin, which is installed on more than 100,000 WordPress sites.