A silent attack is currently hitting tens of thousands of self-hosted WordPress installations. The vector is a seemingly innocuous plugin, Gravity SMTP, used to manage email delivery via external services. The flaw, now actively exploited at scale, allows an attacker to retrieve API keys, OAuth tokens, and the full system configuration with a single unauthenticated HTTP request.

The numbers from Wordfence – the security firm owned by Defiant – show the scale: more than 17 million exploit attempts blocked since the wave began. Estimates point to over 100,000 WordPress sites running the potentially vulnerable plugin, creating an enormous attack surface for a component that is often installed and forgotten.

What’s at stake: from emails to infrastructure keys

The Gravity SMTP plugin centralizes the sending of notifications, transactional emails, and system messages through external providers like Google Workspace, Mailgun, or SendGrid. To do so, it stores OAuth credentials or API keys in its settings. Once exfiltrated, an attacker can do more than read mail: they can impersonate the domain, launch highly credible phishing campaigns, or worse, use those same keys to move laterally into other connected cloud services.

For those managing on-premise stacks, the potential damage goes beyond a single site. In an enterprise context, a WordPress server may serve as the public interface for internal applications, including dashboards for self-hosted LLM models or ticketing platforms. If the instance shares a network with other services, the stolen credentials become a springboard to compromise more critical environments.

The lesson for self-hosting adopters

This story is more than a web security blip. It highlights how thin the line is between a side plugin and the overall security of an on-premise infrastructure. The self-hosted paradigm offers direct control over data and flows but delegates often-overlooked functions to third-party components – themes, plugins, dependencies. Constant updates and configuration checks thus become mandatory hygiene, not optional extras.

Consider WordPress installations used as a lightweight frontend for local AI systems: an email notification about a completed training job, an alert, an automated user message. One neglected SMTP plugin can expose the keys that hold the entire notification stack together, with direct consequences for reputation, operations, and costs.

A broader view

The mass exploit of Gravity SMTP fits a pattern familiar to those operating self-hosted architectures: the exponential rise in automated attacks against open source components and third-party plugins. It is not an isolated incident but a symptom of an attack surface that grows with every integration. The answer lies not only in patching but in reshaping the security posture around every micro-component, especially those that handle credentials.

For those weighing on-premise deployments, the trade-offs are clear: full control over data and processes on one side, the responsibility to keep every layer of the stack updated and monitored – including the plugins that look innocent – on the other. The Gravity SMTP case drives that lesson home with uncomfortable force.