AI‑Driven Pipeline Uncovers 300+ Critical Zero‑Day Vulnerabilities in WordPress Plugins at $20 Each
What Happened — Researchers from TrendAI and CHT Security demonstrated an AI‑powered pipeline that combined static analysis, Docker provisioning, and Chrome DevTools verification to discover more than 300 critical zero‑day flaws across the WordPress plugin ecosystem in just 72 hours. Every finding was manually validated and responsibly disclosed.
Why It Matters for TPRM —
- The low $20 per vulnerability cost means motivated attackers can purchase or develop exploits at scale.
- Over‑one‑million WordPress plugins are maintained by small teams or volunteers, creating a massive supply‑chain attack surface for any organization that relies on them.
Who Is Affected — CMS platforms, e‑commerce sites, SaaS providers, and any third‑party that embeds WordPress plugins (across virtually all industry sectors).
Recommended Actions — Conduct a comprehensive inventory of all WordPress plugins in use, prioritize remediation of those identified as high‑risk, enforce strict version‑control and patch‑management policies, and consider additional runtime protections (WAF, runtime application self‑protection).
Technical Notes — The pipeline leveraged AI‑driven static code analysis, automated Docker environments, and dynamic verification via Chrome DevTools MCP. Vulnerabilities included pre‑authentication RCE, SQL injection hidden behind PHPCS annotations, privilege escalation via hook abuse, SSRF, and a novel downgrade‑attack chain that rolled plugins back to vulnerable versions. Source: Help Net Security