Back to feed
Dev.to
Dev.to
6/22/2026
AI found 300 WordPress plugin zero-days in 72 hours. I build plugins. Here's what changed for me.

AI found 300 WordPress plugin zero-days in 72 hours. I build plugins. Here's what changed for me.

Short summary

AI tools discovered 300+ WordPress plugin zero-days in 72 hours, exposing the double-trust problem in AI-generated code: developers assume the AI output is safe, then treat it as trusted internally. The author now sanitizes all model output across input, output, and permissions layers. With a five-hour median from disclosure to mass exploitation and EU compliance requirements by September 2026, solo developers must treat vulnerabilities as discoverable in seconds and build disclosure channels before they become public CVEs.

  • AI-generated code introduces security gaps by skipping standard practices like output sanitization and permission checks
  • Developers must treat model output as untrusted input at three points: input validation, output sanitization, and permission verification
  • Five-hour median from vulnerability disclosure to mass exploitation and new EU disclosure requirements mean vulnerability channels are now essential infrastructure

Generated with AI, which can make mistakes.

Is this a good recommendation for you?

Explore more