AI-Assisted WordPress Vulnerability ResearchBuilt a custom Python scanner using the Anthropic SDK to perform static analysis across ~46,500 PHP files spanning 138 plugins and 28 themes pulled from ten managed client WordPress sites. Spot-tested three plugins (114 files) and produced 162 findings: 89 High, 61 Medium, 12 Low. Critical findings include unauthenticated exploits requiring zero credentials — remote license deactivation, full options read/write, and a systemic permission bypass affecting every REST route in one plugin. Also traced a complete contributor-to-admin takeover chain: stored XSS in post meta leading to admin session hijack and silent password reset, achievable from a freely obtainable account. All plugin and theme names are withheld pending coordinated vendor disclosure. Two confirmed false positives are acknowledged explicitly in the findings log. Full corpus scan estimated at $244–$1,220 depending on model selection (Haiku to Opus); |