AI Found 300 WordPress Plugin Bugs In 72 Hours

AI finds bugs fast. It also writes code fast. This creates a dangerous gap for plugin developers.

Security researchers used AI to find over 300 critical zero-day vulnerabilities in the WordPress ecosystem. They did this in only 72 hours.

The problem is vibe coding. This happens when developers ship code generated by LLMs that they cannot audit. One plugin had 100 separate security issues because of this.

AI removes your two old protections: time and obscurity.

Attackers now use AI to find holes. Developers use AI to write code. The code often skips security steps like:

  • Escaping data
  • Capability checks
  • Nonce validation

The time from a public bug report to mass exploitation is now five hours. That is not a window to react. It is a race you will lose.

I learned this the hard way. I built an AI chatbot plugin. A security review found 35 bugs in my code. One was an HTML injection.

I made a mistake. I trusted the AI output. I thought because a model generated the text, it was safe. It was not. Model output contains data from users and external sites. You must treat it as untrusted.

I changed my workflow. I no longer assume code is safe just because it runs. I manually review every AI-written part in three areas:

  • Input: How data enters the system.
  • Output: How data leaves the system.
  • Permissions: Who can perform the action.

On the output side, I now use functions like esc_html and wp_kses. I use $wpdb->prepare for every database write. I check permissions with current_user_can at every entry point.

The real crisis is not just the bugs. It is the response time.

  • 52% of developers do not ship a patch before a bug goes public.
  • 46% of disclosed bugs have no fix available at all.

Most developers are solo authors. They do not get paid to fix bugs quickly. AI makes this gap visible.

If you ship plugins, do not just write carefully and hope. Assume attackers will find your holes in seconds.

Build these defenses:

  • Hand-review all input, output, and permissions.
  • Sanitize all model responses.
  • Create a way for people to report bugs to you privately.

A simple security contact in your readme is a start. You need a channel for reports before a bug becomes a public threat.

Source: https://dev.to/rapls/ai-found-300-wordpress-plugin-zero-days-in-72-hours-i-build-plugins-heres-what-changed-for-me-43na