BleepingComputer ·EN-US News source PoC publicCreative Mail WordPress Plugin
We built a vulnerability vending machine: AI tokens in, zero-days out
CVE Tools coverage
A new research project demonstrates how AI can automate the discovery of exploitable vulnerabilities in production software. Using a custom pipeline combining code scanning and large language models, the team at Intruder identified a critical SQL injection flaw in the Creative Mail WordPress Plugin (CVE-2026-3985). The vulnerability allows unauthenticated attackers to extract sensitive data like admin hashes and secret tokens from vulnerable sites. The flaw was exploited using a multi-step attack chain that bypasses traditional detection methods. The plugin has been removed from the WordPress store pending a fix. Users should disable it immediately if running alongside WooCommerce.