Vulnerability vending machine: an AI pipeline that finds and exploits zero-days
On July 15, 2026, Intruder detailed an LLM pipeline that autonomously surfaced 300+ flaws, including an unauthenticated SQL injection in a WooCommerce email plugin used on 300,000+ WordPress sites.
What is this?
On July 15, 2026, the security firm Intruder published a write-up of what it calls a vulnerability vending machine: an automated pipeline that pairs classic program analysis with large language models and, as the team put it, turns AI tokens into zero-days. The claim is concrete rather than aspirational — the pipeline surfaced more than 300 findings across real-world code and, in at least one case, drove an issue from discovery through a working exploit with no human in the loop.
The headline result is a previously unknown, unauthenticated SQL injection in a widely deployed WordPress email-marketing plugin used on more than 300,000 sites. The flaw itself was assigned a CVE and publicly disclosed in May 2026; what is new in the July write-up is the disclosure of the machinery behind it. This is a report on an offensive-capability demonstration by a named vendor, using publicly documented vulnerabilities — not a how-to. We do not reproduce the injection technique here.
How it works
The pipeline’s core trick is not “ask an LLM to find bugs in this file.” Feeding a whole codebase to a model produces noise: hallucinated flaws, missed cross-file data flows, and context windows that overflow before the interesting path is reached. Intruder’s approach instead uses code slicing — a program-analysis technique that extracts just the statements relevant to a given variable or sink — to hand the model a tight, semantically complete slice of code rather than an entire repository. The LLM reasons over that focused slice, proposes candidate vulnerabilities, and the framework then attempts to validate them.
According to the write-up, the run produced a broad spread of finding types: pre-authentication remote code execution, SQL injection concealed behind linter-suppression annotations, privilege escalation through the WordPress hook system, server-side request forgery, and a downgrade attack chain. The email-plugin case is instructive precisely because it is the kind of bug traditional scanners tend to miss: it is unauthenticated but only reachable when a companion e-commerce plugin is installed, and it requires multiple chained requests to trigger, so a single-request signature never fires. Notably, the team reports it ran on current frontier models available before the Mythos-class tier — the point being that this capability does not depend on a not-yet-released model.
Why it matters
The significance is economic, not just technical. Help Net Security framed the same trend in May 2026 with a blunt figure — roughly $20 per zero-day is already the WordPress-plugin reality — and the vending-machine framing makes the incentive explicit: if a flaw costs a few dollars of inference to find, mining an entire plugin ecosystem becomes rational for attackers, not just researchers. The WordPress plugin marketplace, with tens of thousands of extensions of wildly varying code quality, is an almost ideal target surface for this.
This is the offensive mirror of a trend we have tracked on the defensive side. It rhymes with Microsoft folding AI-driven discovery into the Windows patch cycle, with the AI-driven flood of open-source vulnerability reports, and with research pipelines such as Knostic’s OpenAnt closed-loop discovery and Microsoft’s MDASH multi-model scanning. The same capability that lets a defender pre-empt bugs lets an attacker vend them; the deciding factor is who runs the pipeline and how fast maintainers can respond. It also fits the pattern behind AI-authored zero-day fingerprints: AI-found flaws are becoming a routine input to the disclosure economy rather than an exotic event.
Defenses
For plugin and application maintainers, the actionable lesson is that the root causes here are old and fixable. The SQL injection existed because user input reached a query without parameterization — the standard mitigation is prepared statements ($wpdb->prepare() in WordPress) and strict input validation on every externally controllable parameter, including ones only reachable through a second installed component. Do not treat a linter-suppression annotation as security: the pipeline specifically found injection hidden behind a PHPCS ignore comment, so suppressing a static-analysis warning does not remove the bug, it only hides it from the next reviewer. Map multi-plugin interaction paths, because “unauthenticated but only exploitable when plugin X is also present” is exactly the composite condition automated tooling now excels at finding and human review tends to skip.
For operators, assume your dependencies are being scanned at machine speed and price your patch cadence accordingly. Inventory plugins and their companion dependencies, subscribe to vulnerability feeds for the ones you run, and prioritize by exploitability and exposure rather than treating every advisory equally. Give database accounts least privilege so a read-oriented injection cannot reach admin hashes and secrets, put a web application firewall in front of chained-request patterns, and monitor for the multi-stage request sequences that single-signature detection misses. The broader takeaway is that AI lowers the cost of finding the boring, well-understood bug classes — so the defensive win is still shipping code without them, and shrinking the window between public disclosure and deployed patch.
Status
| Item | Detail |
|---|---|
| Disclosure | Intruder, “We built a vulnerability vending machine,” 2026-07-15 |
| Method | Code slicing + LLM reasoning over focused slices, with automated validation |
| Reported scope | 300+ findings: pre-auth RCE, SQLi, privilege escalation, SSRF, downgrade chains |
| Flagship case | Unauthenticated SQL injection in Creative Mail (Constant Contact) WordPress plugin, 300,000+ installs; DB read access; requires WooCommerce; CVE-2026-3985 (CVSS 7.5), affects ≤ 1.6.9, disclosed May 2026 |
| Models used | Frontier models available prior to the Mythos-class tier |
| Nature | Offensive-capability demonstration using publicly disclosed vulnerabilities; no exploit reproduced here |
This article summarizes vendor and third-party reporting as of 2026-07-15. Patch availability for the referenced plugin may have changed since the May 2026 disclosure — verify the current fixed version on the WordPress plugin repository before relying on any mitigation.