Another zero-day patched just in time for no one to notice. That is the vibe of this week’s top security story roundup, and yes, I know. “Top story” is doing a lot of work here, because the real theme is the same as it always is: defenders talking, attackers walking right through the open door like they own the place.
The One Story That Matters (Because Your API Keys Definitely Aren’t Protected)
Let’s focus on the only thing that actually changes your incident response workload: the Gravity SMTP WordPress plugin bug (CVE-2026-4020). Threat actors are exploiting a recently patched flaw in the Gravity SMTP plugin, installed on about 100,000 sites, to expose sensitive data. Not “maybe some metadata.” Not “eventually.” Actual secrets: API keys, configuration data, secrets, OAuth tokens. The kind of stuff you lock down so you can later wonder how it leaked.
This is medium severity on paper (CVSS 5.3). In real life, medium severity is how your org explains away disaster until it has a headline and a CFO-sized panic budget. Because information disclosure flaws are the appetizer. Once attackers have tokens and keys, your “security controls” become decorative landscaping.
Why This Keeps Happening (Spoiler: It’s Not the Hackers)
Here is the part where the IT culture fantasy collapses. “We’ll patch when we get time” is not a strategy. “We have a compensating control” is not a strategy either, especially when the compensating control is a PDF of a policy nobody reads. And vendors love this. It lets them sell products, then act shocked when customers behave like customers: busy, understaffed, and allergic to anything that requires urgency.
Also, can we talk about the classic behavior loop? A plugin ships. People install it. A flaw gets patched. Then it takes weeks or months for the patch to actually reach production, because the change window is “next sprint.” Meanwhile, attackers are out there doing what they always do: scanning, testing, harvesting. Like raccoons with spreadsheets. If your secrets are exposed, it does not matter whether you had “strong encryption” at some point in the past. Attackers do not need your encryption; they need your token.
Do Something Instead of Holding a Meeting
If you run WordPress (and especially if you install SMTP plugins like you’re collecting decorative malware), verify the plugin is updated, rotate any API keys, secrets, and OAuth tokens that could have been exposed, and audit for suspicious access. Then thank yourself briefly, because most orgs will not.
Pour yourself something. Scotch, bourbon, whatever keeps you moving. The attacker doesn’t care about your roadmap. Neither does the next scan.
