Attackers are actively exploiting a vulnerability in the Gravity SMTP WordPress plugin that exposes API keys, OAuth tokens, and detailed system configuration data to anyone who sends a single unauthenticated HTTP request. Wordfence, the WordPress security firm owned by Defiant, says it has blocked more than 17 million exploit attempts targeting the flaw since activity began in early May 2026. The plugin is installed on approximately 100,000 WordPress sites.

The vulnerability, tracked as CVE-2026-4020 and rated 5.3 on the CVSS scale by Wordfence, affects all versions of Gravity SMTP through 2.1.4. A patch was released in version 2.1.5 on 17 March 2026, but exploitation did not begin until roughly two months later, suggesting attackers reverse-engineered the fix or discovered the flaw independently after the patch drew attention to it.

The root cause is a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback function that unconditionally returns true. That means no authentication check runs before the server processes the request. When an attacker appends the query parameter ?page=gravitysmtp-settings, the plugin’s register_connector_data() method populates internal connector data, and the endpoint returns approximately 365 KB of JSON containing the site’s full system report.

The exposed data includes API keys, secrets, and OAuth tokens for every email integration configured in the plugin. Gravity SMTP supports Amazon SES, Google, Mailjet, Resend, and Zoho, and credentials for any of these services appear in the response if they have been configured. An attacker who obtains those credentials can send email on behalf of the compromised site, a capability that is useful for phishing campaigns and business email compromise.

The system report also contains the WordPress version, PHP version and loaded extensions, the web server version, the document root path, the database server type and version, all active plugins with their version numbers, the active theme, and database table names. That information gives attackers a detailed map of the site’s software stack, significantly reducing the reconnaissance effort required to plan follow-on attacks against known vulnerabilities in specific plugin or server versions.

“The exposure of live third-party API credentials means an attacker could abuse the site’s connected email services, while the detailed system report significantly lowers the effort required to plan further attacks against the site,” Wordfence researchers wrote in their advisory.

Exploitation volume spiked sharply around 6 June 2026, with Wordfence blocking more than 4 million requests in a single day on 7 June. The attack traffic has originated primarily from a cluster of IP addresses that Wordfence published for administrators to add to blocklists. The key indicator of compromise is requests to /wp-json/gravitysmtp/v1/tests/mock-data in web server access logs, particularly those containing the ?page=gravitysmtp-settings query parameter.

CrowdSec, the open-source threat intelligence platform, independently corroborated the timeline. It deployed detection for CVE-2026-4020 on 22 May and observed the first real-world exploitation on 27 May. By 1 June, the activity had been classified as background noise, indicating it had been integrated into automated scanning routines that sweep WordPress sites at scale.

The speed at which exploitation was industrialised reflects a broader pattern in WordPress plugin security. The flaw requires no authentication, targets a widely installed plugin, and returns high-value data in a single GET request, making it trivial to automate. WordPress’s plugin ecosystem has faced repeated supply chain compromises in 2026, including an attack in which 30 plugins purchased on Flippa were backdoored and lay dormant for eight months before activation.

The Gravity SMTP vulnerability is distinct from those supply chain attacks in that it does not involve malicious code injected by a compromised developer. It is a straightforward coding error, a permission callback that should have verified the requesting user’s credentials but instead returned true for every request. The simplicity of the flaw makes its survival through development, review, and release notable.

The exposure of API credentials is particularly dangerous because those credentials often persist even after the plugin is updated. Updating to version 2.1.5 closes the vulnerable endpoint, but it does not revoke or rotate the API keys that may have already been harvested. Credential theft through software flaws is an accelerating problem across the industry, with recent research showing that exposed API credentials are exploited within minutes of discovery.

Wordfence’s advisory urges site owners running a vulnerable version of Gravity SMTP who have configured third-party email integrations to assume compromise. The recommended remediation is to update the plugin to version 2.1.5 or later, then immediately rotate all API keys, secrets, and OAuth tokens configured in the plugin’s email connectors. Administrators should also review server log files for requests from the published attacker IP addresses.

The CVE was published on 31 March 2026, two weeks after the patch shipped. Despite the three-month window between patch availability and peak exploitation, many sites remain vulnerable. The gap between when patches become available and when organisations deploy them is one of the most persistent problems in software security, and WordPress plugins are especially prone to it because many site operators do not monitor plugin changelogs or enable automatic updates.

Wordfence also issued a separate advisory this week for CVE-2026-8713, a critical unauthenticated arbitrary file-deletion vulnerability in the Avada Builder plugin, which is installed on approximately one million WordPress sites. That flaw allows attackers to delete files on the server through a path traversal bug, and deleting wp-config.php can revert a site to its initial setup state, potentially enabling a full takeover.

A patch for the Avada Builder flaw is available in version 3.15.4, and no active exploitation of CVE-2026-8713 has been observed yet.

Wordfence did not attribute the Gravity SMTP exploitation to a specific threat actor or group. The pattern of mass scanning from a small cluster of IP addresses is consistent with opportunistic credential harvesting rather than targeted intrusion, though the stolen credentials could be sold or shared with more sophisticated operators for follow-on attacks.

Recorded from the show floor at AXPONA 2026, Lenny Coco of Mobile Fidelity Distribution discusses why vinyl still holds relevance in a digital first world, and how it fits alongside modern streaming habits. The conversation avoids framing the formats as competitors and instead looks at how each serves a different role for listeners, with Coco offering his perspective as both an industry insider and music fan. In the end, the focus stays on what matters most: the connection to the music, regardless of how it is delivered.

Sponsors: Thank you SVS for sponsoring this episode, along with Audeze for supplying all guests LCD-S20 Headphones, and Loewe and T10 Bespoke for sharing lounge space at AXPONA 2026.

This episode was recorded on April 12, 2026 (the third day of AXPONA 2026).

Where to listen:

On the Panel:

AXPONA 2026 Podcasts:

Related Links:

Credits:

• GPD launches Panther Lake Mini PC with powerful integrated graphics
• Core Ultra X7 358H delivers near RTX 3050M graphics performance
• MCIO 8i connection brings high-bandwidth external GPU expansion support

GPD has introduced its new Panther Lake Mini PC with Intel’s Core Ultra processors, combining compact dimensions with desktop-focused connectivity options.

The base configuration uses the Core Ultra 7 356H processor, while the step-up variant deploys the Core Ultra X7 358H CPU with a superior Arc B390 integrated graphics.

Japan and Tunisia lock horns in a Group F-defining World Cup 2026 match at Estadio BBVA in Monterrey, Mexico. Tunisia find themselves staring down the barrel after a bitter opening round defeat that led to an emergency replacement in the dugout, while Japan seek to get on the front foot early.

A new coach in the middle of a high-stakes tournament is never good news, but the Tunisian FA had seen enough with a 5-1 loss to Sweden to replace Sabri Lamouchi with former Saudi Arabia boss Herve Renard. The Eagles of Carthage went undefeated in the CAF qualifiers, scoring 22 goals without conceding a single one, but now face an uphill task if they’re to make it out of the group for the first time.

First look: Microsoft is sticking with smaller, incremental Windows 11 updates, and its next release will follow the same pattern. There’s no major feature rollout tied to Windows 11 26H2. Like version 25H2, it will arrive as an enablement package that toggles changes already present in the OS. On PCs already running Windows 11 24H2 or 25H2, the upgrade should be a quick enablement download, a single reboot, and a few minutes of install time, with no obvious changes on the desktop.

This approach dates back to Windows 11 24H2, released in October 2024, which marked the last traditional feature update. Since then, Microsoft has kept new versions on the same underlying platform. In practice, 25H2 and now 26H2 mostly exist to extend support timelines rather than add new capabilities.

New features are no longer tied to these annual releases. Instead, Microsoft is delivering them through monthly cumulative updates, allowing changes to roll out continuously. Recent updates have added a Low Latency Profile, with support for a movable taskbar expected in an upcoming Patch Tuesday release.

As a result, the annual “feature update” now acts more like a maintenance marker than the main way new features arrive.

Microsoft has positioned this update model as a way to reduce disruption, particularly for enterprise environments where stability is critical. “The next annual update for Windows 11 is coming soon… continues our focus on delivering a predictable, low-disruption update experience for organizations and IT professionals,” the company said in recent documentation.

Enablement packages are small, often under 500KB, and work by activating dormant code already present in the OS. Because the platform itself doesn’t change, installation is faster and tends to be less disruptive than a full upgrade.

That shift also changes what a version number represents. Moving from 24H2 to 26H2 doesn’t bring a new feature set; it keeps the same codebase while advancing the support timeline for that installation.

For 26H2, support runs through October 2028 for Home, Pro, Pro EDU, and Pro for Workstations. Enterprise, Education, and IoT Enterprise versions will receive updates until October 2029, in line with Microsoft’s standard lifecycle model.

Hardware requirements remain unchanged. Any system capable of running Windows 11 24H2 or 25H2, which requires at least 4GB of RAM, 64GB of storage, and a 64-bit dual-core processor, will support the new version.

A separate release, Windows 11 26H1, is tied to newer silicon platforms such as Nvidia N1 and Snapdragon X2. It’s based on a different platform baseline and doesn’t introduce exclusive user-facing features, so for most users, it isn’t a meaningful upgrade.

The broader shift is that Windows is now evolving through steady, incremental updates rather than periodic overhauls. The most meaningful changes arrive through monthly patches, while annual releases serve primarily to maintain and extend the platform.

Microsoft hasn’t said whether this model will continue beyond 2026, and didn’t confirm if the same approach will apply to a future 27H2 release. For now, though, the company appears committed to a cadence built around smaller updates and more predictable deployment.

The Mac lock screen has always felt a little underused. You see the time, your wallpaper, and not much else. macOS already supports desktop widgets, but once your Mac is locked, that extra information disappears.

WidgetScreen is trying to fix that in a pretty simple way. The free Mac app, made by UK computer science student Sam Cook, adds glassy widgets to the lock screen so you can quickly check things like the weather, clock, calendar, battery, music playback, countdowns, and system information.

The app is intentionally limited to the lock screen. The widgets appear when the Mac is locked and disappear when the user signs in, so they do not compete with macOS desktop widgets.

What does WidgetScreen actually do?

WidgetScreen is built for quick glances. You can arrange widgets on a grid, resize them, choose frosted or clear glass styles, change units and time format, and decide which display they appear on.

Claude Guillemot, one of five brothers who co-founded Ubisoft in 1986, has died in a plane crash near the coastal town of La Baule in western France. He was 69. Guillemot and a flight instructor from Rennes were both killed when their twin-engine Cessna 421 crashed in a field near La Baule aerodrome on the afternoon of 19 June.

French authorities confirmed that the aircraft was on fire when emergency crews reached the scene. Guillemot, a member of a local flying club, had departed Rennes and was travelling to an aviation gathering that was expected to draw more than 100 aircraft to the area. The cause of the crash has not been determined, and an investigation is underway.

Ubisoft confirmed the death in a statement, saying the company was “deeply saddened to learn of the death of Claude Guillemot.” The five Guillemot brothers, Claude, Yves, Michel, Christian, and Gérard, founded Ubisoft on 28 March 1986 in the Brittany village of Carentoir. What began as a software distribution business grew into one of the largest video game publishers in the world, behind franchises including Assassin’s Creed, Far Cry, Just Dance, and the Tom Clancy series.

Claude served as Executive Vice President in charge of operations at Ubisoft and sat on the company’s board of directors. His brother Yves remains chairman and chief executive of Ubisoft, which employs roughly 19,000 people across more than 40 studios worldwide.

Outside Ubisoft, Claude was chairman and CEO of Guillemot Corporation, the family’s publicly traded holding company that owns Thrustmaster, a major manufacturer of gaming peripherals including racing wheels, flight sticks, and controllers, and Hercules, which makes audio and DJ equipment. Guillemot Corp reported revenue of €197.7 million in its most recent fiscal year.

The Guillemot family’s grip on Ubisoft has been a recurring topic in the gaming industry. Despite holding roughly 11% of outstanding shares, the family maintains control through France’s Florange Act, which grants double voting rights to long-term shareholders. In 2022, Tencent, the Chinese conglomerate that has aggressively expanded its gaming portfolio, invested approximately €300 million in Guillemot Brothers Limited, the family’s private holding company, acquiring a 49.9% economic stake while receiving only 5% of voting rights.

That deal was widely interpreted as a defensive move, allowing the Guillemots to maintain control of Ubisoft while keeping Tencent’s influence capped. Tencent also holds a direct stake of approximately 9.46% in Ubisoft and invested €1.16 billion in Vantage Studios, a new Ubisoft subsidiary created in 2025 to manage the company’s biggest franchises. The question of whether Tencent and the Guillemot family would eventually pursue a full buyout has lingered for years, with no deal materialising as of June 2026.

Ubisoft has faced significant headwinds in recent years, including studio closures, layoffs affecting hundreds of employees, and a corporate restructuring that split the company into five creative divisions. The successful launch of Assassin’s Creed, a franchise that has expanded beyond games into film and television, helped stabilise the company after a difficult 2024, with Assassin’s Creed Shadows surpassing five million players within four months of its March 2025 release.

Claude Guillemot’s death comes at a particularly complex moment for the family business he helped build. Ubisoft is navigating activist investor pressure, an ongoing strategic partnership with Tencent, and a broader gaming industry contraction that has seen tens of thousands of jobs eliminated across the sector since 2023.

He is survived by his brothers and his family. French media reported that tributes from the gaming industry and the Brittany business community began arriving within hours of the announcement.

Asked about the privacy implications of chatbots like ChatGPT and Claude, Signal President Meredith Whittaker answered, “These are not your friends. These are not conscious beings. These are not sentient interlocutors.”

Whittaker made those comments in a broader interview with Bloomberg about policy, privacy, and Signal. She acknowledged that she uses AI tools “to format a document here and there,” but insisted, “I don’t ask them questions. I’m very serious about my thinking and writing, and I don’t want the process of working through an idea […] to be foreclosed or eclipsed by the response of a system that’s averaging what’s already out there.”

As for Microsoft AI CEO Mustafa Suleyman’s prediction that users could let Microsoft Copilot handle all their Christmas shopping this year, Whittaker argued this scenario — where Copilot is eavesdropping on the family group chat to determine who wants want — means giving it “access to my credit card, my browser, my Signal, the ability to message my siblings on my behalf, my home address [and] my calendar.”

“What you’ve just described is a system with very pervasive access across multiple applications and services,” Whittaker said. “In the context of Signal, it would constitute a kind of a backdoor.”

Movie studios keep hunting for ways to make a trip to the theater feel essential again. Sony Pictures landed on one clear path with its next Spider-Man film. The studio worked directly with CJ 4DPLEX to present Spider-Man: Brand New Day in SCREENX, a format built to spread the action beyond the front screen and across the side walls of specially equipped auditoriums.

Audiences who choose this version enter rooms where specific scenes continue to play out on the walls next to them. The primary story remains front and center on the enormous screen in front, but there are supplementary shots playing out to the left and right. The combination of the two produces a very broad, all-encompassing perspective that immerses you in the action rather than making you a distant spectator.

Sale

Anker Nebula P1i Portable Projector with WiFi and Bluetooth by soundcore, Flippable Design,1080P FHD, 4K…

• Flippable Audio Magic: Rotate the 20W (2 x 10W) Dolby Audio speakers 90° side to side or 200° up and down for sound that follows your vibe, perfect…
• True Brightness, Real Clarity: Enjoy lifelike details with TÜV‑certified 380 ANSI lumens and 1080p Full HD resolution that make every movie night…
• Designed for Consistent Viewing: All‑glass lenses and fully sealed optical engine resist dust and wear, keeping every frame crisp and clear even…

SCREENX is powered by a multi-projection system, with one projector handling the main screen and additional ones dealing with the side walls. The photos are all aligned using smart techniques like as warping correction and edge blending, resulting in a seamless image despite the fact that the walls are at an angle to the main surface. There are no special glasses required, which is a plus. The extra content is kept under control since it only appears at specified points in the film, rather than running throughout.

SCREENX has been widely used by filmmakers since it first appeared in films rather than only advertisements a few years ago. The amount of extra content on the side walls has been progressively expanding. Some films may only open the walls for a few twenty or thirty minute portions, but newer films can keep them open for an hour or more. Extra material is typically created from existing film or digital elements added later in the editing process.

However, Spider-Man: Brand New Day takes a different approach to the situation. CJ 4DPLEX despatched a crew to the set while the main crew was filming. That team took specialized photographs for the side walls, and this is the first time the format has had unique on-set photography generated particularly for it from the start of a major studio film until its release. Director Destin Daniel Cretton puts it simply: CJ 4DPLEX and their team came in to shoot content for the SCREENX auditoriums.

Jun Bang, the CEO of CJ 4DPLEX, described it as an advancement of the overall SCREENX concept. They collaborated closely with Sony Pictures and Cretton, utilizing their proprietary tools to greatly expand the visual possibilities. The goal was to ensure that they preserved the director’s vision while also immersing the audience in the story, action, and Spider-Man world.

It should come as no surprise that Taylor Swift, Bad Bunny, Ariana Grande, and Kendrick Lamar are among the top 20 most streamed artists of all time on Apple Music. Check out the full list.

Apple Music launched on June 30, 2015, and it celebrated 10 years of streaming with a top 500 songs list. A year on, the streamer has shared a new metric.

The new chart is the top 20 artists of all time on Apple Music, shared by Chart Data on social media. It’s an official endorsement, as Apple Music’s account reposted it and replied with a heart and trophy emoji.

It isn’t clear what prompted the post, but we are in proximity to Apple Music’s birthday, so it may simply be that. If you don’t live under the proverbial rock, none of these artists should come at any surprise.

1. Drake
2. Taylor Swift
3. Future
4. Youngboy Never Broke Again
5. Bad Bunny
6. Lil Baby
7. The Weeknd
8. Morgan Wallen
9. Kanye West
10. Post Malone
11. Travis Scott
12. Ariana Grande
13. Chris Brown
14. Kendrick Lamar
15. Lil Durk
16. Gunna
17. Rod Wave
18. Ed Sheeran
19. Justin Bieber
20. Eminem

Apple isn’t promoting the list on Apple Music, at least not yet anyway. If you’re interested in the top 500 song playlist, it’s still available.

Out of the twenty artists present, I have six in my library. Unsurprisingly, the vast majority of music represented here is in the rap or pop genres.

If you’d like to see something a little more personalized, there’s your Apple Music Replay. Unlike Spotify Wrapped, it is updated monthly, so your 2026 Replay is already available.