AI Found 300 WordPress Plugin Vulnerabilities in 72 Hours
AI finds bugs in seconds. This changes everything for developers.
A recent security scan found over 300 critical zero-day vulnerabilities in WordPress plugins in just 72 hours. Researchers call this "vibe coding." This happens when developers ship code generated by AI without auditing it.
One agency found 100 security issues in a single AI-generated plugin.
AI works on both sides. It writes code fast, but it often skips security steps like escaping and permission checks. At the same time, attackers use AI to find those same holes instantly.
The old safety nets are gone. Obscurity and time no longer protect your code. Data shows mass exploitation happens in about five hours after a bug becomes public. That is not enough time to react.
I learned this the hard way. I built an AI chatbot plugin. A security review found 35 bugs in my code. The worst was an HTML injection. I trusted the AI output. I thought because the AI wrote it, it was safe.
It was not. AI output can carry malicious content from users or external websites. If you treat AI output as safe, you create a leak.
I changed my workflow. I no longer assume "it runs" means "it is safe." I now manually review every AI-written handler in three areas:
• Input: How data enters the system. • Output: How data leaves the system. I treat AI responses as untrusted input. I use functions like esc_html and wp_kses. • Permissions: I check user capabilities and nonces at every entry point.
The real problem is not just the code. It is the response time. Many developers do not ship a patch before a bug goes public. Many plugins have no fix available at all.
If you are a solo developer, you cannot just write carefully and hope for the best. You need a way for people to tell you about bugs before they go public.
By late 2026, EU laws will require vulnerability disclosure programs. For solo authors, this can be simple. Add a security contact to your readme file. Give people a private place to send reports.
Do not wait for a public exploit. Build the systems to catch bugs before the five-hour timer starts.
Optional learning community: https://t.me/GyaanSetuAi
