WordPress Plugin Zero-Day Vulnerabilities Now Cost Just $20 to Find

The cost of finding serious security flaws in WordPress plugins just dropped to about $20 per vulnerability. Regarding WordPress plugin vulnerabilities, That is not a theoretical number. Researchers from TrendAI and CHT Security built an AI-powered system that proved it in three days.

Their automated pipeline discovered more than 300 critical zero-day vulnerabilities across WordPress plugins in 72 hours. Every single finding was manually verified before disclosure. This is not about generating noise or false alarms. These are real, exploitable security holes in plugins that could be running on your site right now.

What the AI System Actually Found

The researchers presented their work at Ekoparty Miami. Their system combined AI-driven code analysis with automated testing environments and verification tools. The result was a flood of confirmed vulnerabilities that would have taken human researchers months to discover.

Steven Yu, a threat research engineer at TrendAI, explained the economics. The system consumed roughly 222 million AI tokens across 95 scanning tasks. When you divide the API costs by the number of verified vulnerabilities, you get approximately $20 per discovery.

However, Yu was careful to add context. “This doesn’t mean you can easily find a vulnerability in any WordPress site for just $20,” he told Help Net Security. The WordPress plugin ecosystem is uniquely vulnerable because of its massive scale and inconsistent code quality.

Why WordPress Plugins Are Especially Vulnerable

WordPress hosts more than a million plugins. Many are maintained by individual developers or small teams without dedicated security resources. Code quality varies wildly across the ecosystem.

This creates an environment where automated tools can find issues efficiently. A hardened enterprise application would not surrender vulnerabilities at anywhere near this rate or cost. Nevertheless, for WordPress plugins, the economics have fundamentally shifted.

The types of vulnerabilities discovered include some of the most serious categories. The researchers found pre-authentication remote code execution flaws, SQL injection vulnerabilities, privilege escalation issues, and server-side request forgery problems. One pre-authentication RCE was found in a plugin with over 1,000 GitHub stars.

The AI Built Attack Chains Without Human Help

Perhaps most concerning is what the AI did on its own. The system identified a downgrade attack chain without any human guidance. It found a vulnerability that allowed rolling a plugin back to an earlier version, then recognized that the older version had its own exploitable flaws.

The AI chained these two vulnerabilities together into a working attack. No manual prompts were involved. No pre-programmed patterns were used. The system reasoned through the attack path independently.

What This Means for Your WordPress Site

If researchers can find WordPress plugin vulnerabilities for $20 each, so can attackers. Yu confirmed this reality bluntly: “We are already in a state where any motivated attacker with a credit card can execute this.”

Both security researchers and malicious actors are implementing these techniques at scale right now. The barrier to entry for finding exploitable flaws in WordPress plugins has effectively collapsed.

For business owners running WordPress sites, this changes the equation. Plugin vulnerabilities are being discovered faster than ever before. The time window between discovery and exploitation is shrinking. Additionally, the volume of potential threats is increasing exponentially.

The Disclosure System Is Struggling to Keep Up

The researchers addressed a key concern about AI-generated vulnerability reports. Many open-source projects have started rejecting AI submissions entirely because of low-quality, automated reports that waste maintainer time.

This system filtered out that noise. By requiring dynamic verification before any disclosure, the pipeline eliminated more than 80% of false positives. Only confirmed, exploitable vulnerabilities made it through to the disclosure queue.

However, even with verified findings, the downstream pressure is intense. Yu said manual verification of each WordPress plugin vulnerability took his team 30 to 60 minutes. That human review layer is now the primary bottleneck.

Disclosure Programs Are Changing Their Rules

Organizations like ZDI and NIST are already struggling with massive backlogs. When AI can scale vulnerability discovery from a few findings per day to hundreds per second, the traditional review model breaks down.

Yu expects several vendors to move toward invite-only or membership-based disclosure programs within the next six months. These programs will prioritize researchers with established track records and ban accounts that submit AI-generated noise.

The longer-term solution, according to Yu, is fighting automation with automation. “The ultimate solution is to fight AI magic with AI magic,” he said. AI-assisted triage that automates environment setup and verification would free human experts to focus on the most complex cases.

Where AI Vulnerability Detection Still Falls Short

Despite the impressive results, Yu was direct about current limitations. Some exploit scenarios still require human judgment or access that AI systems cannot easily replicate.

For example, vulnerabilities that require a working payment API key, a valid user account, or SMS verification stop the automated agent. The gap is environmental, not in the AI model itself. These barriers will likely fall as agent tooling improves.

Other limitations are more fundamental. Sometimes determining whether a behavior is an intended feature or a security flaw requires human judgment. More training data will not resolve that type of question.

What You Should Do About This

The economics of WordPress plugin vulnerabilities have changed permanently. Automated discovery at scale is already happening. Therefore, your approach to plugin security needs to adapt.

First, minimize your plugin count. Every plugin you run increases your attack surface. Remove anything you are not actively using.

Second, prioritize plugins from established developers with clear security track records. Free plugins from solo developers may serve a need, but they carry higher risk in this new environment.

Third, implement a process for rapid plugin updates. When vulnerabilities are discovered and disclosed faster, your response time matters more. Delays of even a few days could leave your site exposed.

Finally, consider whether your current WordPress care plan covers security monitoring and rapid response. If you are managing updates yourself, you are now competing against automated discovery tools that work 24/7.

The $20 WordPress plugin vulnerability is not coming. It is already here. Your security approach needs to account for that reality.

Original Source: www.helpnetsecurity.com