$20 Zero-Days: WordPress Plugins Are Now AI Hunting Grounds

Anyone who has run incident response at 3am knows the worst calls start with "a plugin update broke something, and now there's outbound traffic we can't explain." That call is about to get cheaper to trigger. A research pipeline built in three days surfaced more than 300 critical zero-day vulnerabilities across the WordPress plugin ecosystem in 72 hours of scanning, at an average cost of roughly $20 per finding.

The number is small enough to fit on a corporate card receipt. That is the entire point.

The Numbers

As Help Net Security reported, researchers from TrendAI and CHT Security presented the work at Ekoparty Miami. The system pairs AI-driven static analysis with automated Docker provisioning and dynamic verification through Chrome DevTools MCP. The AgentForge orchestration dashboard logged roughly 222 million tokens consumed across 95 tasks during the campaign. Steven Yu, a threat research engineer at TrendAI, translated that token spend into the $20-per-vulnerability average.

Put that figure in budget terms. A mid-sized iGaming operator running a quarterly red-team engagement might spend six figures to get a handful of critical findings against a hardened stack. The same headline budget, fed through a pipeline like this against a softer ecosystem, would return findings by the hundreds. On a 10-person platform team, $20 is rounding error in a single sprint's cloud bill. It is less than a managed-database backup runs for a weekend.

Yu was careful to fence the claim. "This doesn't mean you can easily find a vulnerability in any WordPress site for just $20," he said. "It depends heavily on the security of the codebase. The WordPress ecosystem is extremely vast and complex, leading to highly variable code quality. In other frameworks or ecosystems, we might not see the same results at this cost threshold."

The qualifier is doing real work. WordPress has more than a million plugins in its ecosystem, many maintained by solo volunteers without security budgets. That is the demographic profile of a soft target. A hardened fintech monorepo with mandatory review, SAST gates, and fuzz harnesses is not going to surrender bugs at the same rate. But "WordPress is special" is cold comfort when WordPress runs a meaningful slice of the public internet, including marketing properties owned by companies that take security seriously everywhere else.

The vulnerability classes surfaced read like a tour of the OWASP Top Ten: pre-authentication remote code execution, SQL injection hidden behind PHPCS annotations that mark vulnerable queries as safe, privilege escalation through the WordPress hook system, server-side request forgery, and a downgrade attack chain. One pre-auth RCE landed in a plugin with more than 1,000 GitHub stars. That is not an abandoned hobby project. That is something procurement might wave through.

What's Actually New

AI vulnerability research has spent the last 18 months earning a bad reputation. Maintainers have been buried in AI-generated noise, and several major open-source projects have rejected AI submissions outright. Production incidents I've seen tied to "AI-assisted disclosure" usually involve a maintainer chasing a hallucinated CVE for a week before realizing the report described code that doesn't exist in the repo.

The TrendAI pipeline is different in two ways that matter operationally.

First, dynamic verification. Every finding had to spin up in a Docker environment and prove itself through Chrome DevTools MCP before reaching the disclosure queue. The system eliminated more than 80% of false positives this way. That is the difference between a tool that produces tickets and a tool that produces exploits. Static analysis with an LLM on top is a pattern-matcher. Static plus automated environment provisioning plus dynamic confirmation is a working proof-of-concept generator.

Second, and this is the part that should make defenders uncomfortable, the downgrade chain. The AI located a vulnerability that allowed it to roll a target plugin back to an earlier version, recognized the earlier version had its own exploitable flaws, and chained the two without manual prompts or pre-taught patterns. Yu confirmed there was no human guidance in assembling that chain. The same vulnerability class was then found through pattern hunting across OpenCart and Joomla codebases.

That is autonomous bug-class generalization. Not "the model spotted a pattern it was trained on." The model invented a chain and then transferred the abstraction across ecosystems. Teams I've worked with have spent years building threat models around the assumption that exploit chains require human creativity to assemble. That assumption is now on a clock.

My take: the $20 number will get all the headlines, but the downgrade chain is the actual news. Price comes down with every model generation. Autonomous chain construction is a capability threshold, and once crossed it does not uncross.

What's Priced In for Security Teams

Some of this, mature security teams already assumed. Anyone running a bug bounty program in the last 12 months has seen the AI-slop wave and built filters for it. Anyone who has watched CISA's KEV catalog grow knows the gap between disclosure and active exploitation has been compressing for years. The idea that motivated attackers can run discovery pipelines at scale is not a surprise to anyone who has read a threat report since 2024.

What's not priced in: the triage collapse. Yu was blunt. "Organizations such as ZDI and NIST are currently struggling with massive backlogs due to the explosion of AI-assisted vulnerability reports. When AI can scale discovery from a few findings per day to hundreds per second, the traditional human-centric triage model becomes unsustainable."

Manual verification of each WordPress plugin vulnerability took the TrendAI team between 30 and 60 minutes. Human review was described as the primary bottleneck in their own pipeline. If the people producing the findings cannot keep up with their own output, the downstream vendors and CNAs have no chance. Yu expects several vendors to move toward invite-only or membership-based disclosure models and to ban accounts that submit AI-generated noise.

The uncomfortable read: bug bounty as an open-submission market is probably ending. What replaces it looks more like a guild, with reputation-gated access and AI-versus-AI triage on the receiving side. Yu's own prescription is to "fight AI magic with AI magic." Engineering leaders who have been pushing back on procurement for AI-assisted security tooling are going to lose that argument over the next two budget cycles.

Contrarian View

The doomer reading writes itself: $20 zero-days, autonomous exploit chains, disclosure infrastructure in collapse. But there are reasons to slow down before declaring the end of defensible web infrastructure.

The pipeline works on WordPress plugins specifically because WordPress plugins are uniquely bad. A million-plugin ecosystem maintained largely by volunteers is not representative of how serious software gets built. The same agent pointed at a Rust codebase with property-based tests and a careful review culture is going to spend a lot of tokens to find very little.

The agent also has hard stops. Exploits requiring a working payment API key, a valid user account, or an SMS verification code break the pipeline because the gap is environmental, not analytical. Most enterprise attack surface sits behind exactly those kinds of gates. The model cannot fake a corporate SSO flow or a Twilio-verified phone number.

And there is a defender's version of the same pipeline. If TrendAI built this in three days, internal AppSec teams can build something similar against their own code before attackers do. The capability is symmetric. The first wave will favor attackers because they have fewer ethics review boards, but the tooling diffuses in both directions. Teams that get pipelines into CI in the next six months will burn down their backlogs faster than attackers can find new bugs.

Key Takeaways

• Stop treating WordPress plugins as low-priority attack surface. If your marketing site runs WP, it is now a viable initial-access vector for any attacker with a credit card. Inventory plugins, pin versions, and put the marketing stack behind the same egress controls as production.
• The downgrade chain is the real signal. Autonomous exploit-chain assembly across versions and across ecosystems (WordPress, OpenCart, Joomla) means single-CVE patching is no longer sufficient threat modeling. Map version-rollback paths in your dependency graph.
• Expect disclosure programs to harden. Invite-only and reputation-gated submission models are coming within months. If your team relies on external bounty submissions, get researchers credentialed now, before the door closes.
• Budget for AI-assisted triage on the defender side. Yu's "fight AI magic with AI magic" is not a slogan, it is a procurement directive. Manual triage at 30 to 60 minutes per finding does not scale against hundreds-per-second discovery.
• Audit your PHPCS suppressions today. SQL injection hidden behind annotations that mark vulnerable queries as safe is a pattern the AI explicitly targeted. If your codebase uses similar suppress-and-forget comments, those are now signposts for attackers.