WordPress Plugin Zero-Day Exploits Selling for $20: A Growing Reality
Vulnerability Researchers Uncover Critical Flaws in WordPress Plugin Ecosystem
A recent study conducted by researchers from TrendAI and CHT Security has shed light on the alarming rate at which critical zero-day vulnerabilities are being uncovered in the WordPress plugin ecosystem.
The Economics of Vulnerability Discovery
According to Steven Yu, a threat research engineer at TrendAI, the pipeline consumed approximately 222 million tokens across 95 tasks during the campaign, translating to an average of around $20 per vulnerability discovered.
“This figure does not imply that vulnerabilities can be easily found in any WordPress site for a mere $20, as the success of such an endeavor heavily relies on the security of the underlying codebase.”
— Steven Yu, Threat Research Engineer at TrendAI
Threat Actor Behavior
Yu noted that both white-hat and black-hat actors are already leveraging similar pipeline technologies to identify and exploit vulnerabilities at scale.
- Pre-authentication remote code execution
- SQL injection hidden behind PHPCS annotations
- Privilege escalation through the WordPress hook system
- Server-side request forgery
- Downgrade attack chains
One notable example involves a plugin with over 1,000 GitHub stars, where the researchers identified a pre-auth RCE vulnerability.
“The AI-powered pipeline successfully constructed a downgrade attack chain without any human guidance, demonstrating its potential for sophisticated exploitation.”
— Steven Yu, Threat Research Engineer at TrendAI
Disclosure Infrastructure Under Strain
The study highlights the challenges faced by organizations like ZDI and NIST, which are struggling to cope with the influx of AI-generated vulnerability reports.
The current human-centric triage model is becoming unsustainable, given the rapid pace at which AI-powered discoveries are emerging.
In response, several vendors are shifting towards invite-only or membership-based disclosure programs, prioritizing researchers with established track records and rejecting AI-generated noise.
The long-term solution lies in developing more automation capabilities, particularly in the area of AI-assisted triage, allowing human experts to focus on the most complex cases.