Listen to this Post
Introduction: AI Is No Longer Predicting the Future of Cybersecurity, It Is Actively Shaping It
For years, discussions around artificial intelligence in cybersecurity have focused on potential rather than reality. Security professionals debated whether AI would eventually replace vulnerability researchers, automate penetration testing, or discover zero-day exploits faster than humans. Those conversations often remained theoretical because the available models lacked the reasoning capabilities needed for complex security analysis.
That landscape is rapidly changing.
A recent experiment by security researchers at Intruder demonstrates that modern Large Language Models (LLMs), even without next-generation reasoning models like Mythos, are already capable of discovering real-world vulnerabilities completely autonomously. Their research showcases an AI-driven vulnerability hunting pipeline that identified and successfully exploited a previously unknown SQL injection vulnerability inside a popular WordPress plugin used by more than 300,000 websites.
Rather than replacing human expertise, this breakthrough reveals something even more significant: AI has become a force multiplier capable of accelerating vulnerability discovery at a speed that traditional security research cannot easily match. As defenders gain access to these tools, attackers are likely doing the same, creating an entirely new phase in the cybersecurity arms race.
The Shift from AI Theory to Real-World Vulnerability Hunting
Artificial intelligence has already transformed numerous industries, but cybersecurity presents unique challenges.
Unlike image recognition or language generation, vulnerability research requires understanding thousands of interconnected functions, tracing data flows across applications, identifying unsafe assumptions, and chaining multiple weaknesses into a working exploit.
Until recently, this remained largely outside the capabilities of language models.
Intruder’s research set out to answer a practical question:
Can
The answer appears to be yes.
Instead of relying on future AI breakthroughs, the researchers built an automated pipeline using today’s commercially available language models together with established code analysis technologies.
The result was the discovery of a genuine zero-day vulnerability.
Why Simply Feeding an Entire Codebase to AI Fails
One of the biggest misconceptions surrounding AI code analysis is that developers can simply upload an entire software repository and ask an LLM to identify vulnerabilities.
Reality is much more complicated.
Modern software projects often contain thousands of files.
Attempting to process every source file introduces several major problems:
Massive token consumption
Context window limitations
Irrelevant code overwhelming useful information
Reduced reasoning accuracy
Loss of relationships between critical functions
Large language models excel when analyzing focused pieces of code.
However, once excessive unrelated context is introduced, the quality of analysis drops dramatically.
Finding a complex vulnerability often requires understanding only a tiny fraction of the application.
Everything else becomes distraction.
A Smarter Approach: Program Slicing Instead of Full Code Analysis
Rather than forcing AI to read an entire application, Intruder developed an intelligent preprocessing pipeline.
Instead of analyzing complete repositories, the system creates what researchers call a program slice.
A program slice contains only the functions, methods, and execution paths directly related to a potentially vulnerable operation.
This dramatically reduces irrelevant information while preserving every function needed for AI reasoning.
The concept resembles IDE features such as:
Find Implementation
Call Graph Analysis
Function Tracing
Language Server Protocol (LSP) dependency mapping
Traditional static analysis tools already perform these tasks efficiently.
The innovation lies in combining those mature technologies with LLM reasoning.
Building an Autonomous Vulnerability Discovery Pipeline
The research pipeline consists of several independent stages that together perform fully automated vulnerability research.
The process begins with Joern, a Code Property Graph (CPG) analysis framework widely respected in security research.
Joern scans the entire codebase looking for patterns that may indicate dangerous behavior.
Instead of searching only for confirmed vulnerabilities, the engine intentionally produces a large number of suspicious findings.
False positives are acceptable because AI performs later filtering.
This allows broader coverage without missing subtle bugs.
Finding Every Possible Attack Surface
For this experiment, researchers focused specifically on unauthenticated WordPress attack surfaces.
Joern searched for every location where user-controlled input could reach application logic.
These included:
REST API endpoints
AJAX handlers
Public hooks
Template functions
WordPress actions
External request handlers
Every discovered entry point became a candidate for deeper investigation.
Filtering Safe Code Before AI Gets Involved
Not every suspicious function represents an actual security issue.
Basic taint analysis removes obviously safe execution paths.
If user input passes through trusted sanitization routines or validated security controls, those slices are discarded before reaching the language model.
This significantly improves efficiency while reducing unnecessary AI computation.
Using Multiple AI Models for Different Tasks
Rather than relying on one giant language model, Intruder employed multiple specialized agents.
The first lightweight model performs rapid triage.
Its responsibilities include:
Removing harmless findings
Ignoring expected public endpoints
Filtering low-risk functions
Ranking suspicious behaviors
Only the most promising code slices move forward.
A larger reasoning model then performs deeper exploitability analysis using the complete execution context.
Because the model receives only relevant code, it avoids wasting reasoning power on unrelated files.
The Final Stage: Autonomous Exploitation
Once AI determines that a vulnerability appears exploitable, another autonomous agent begins constructing an actual exploit.
Unlike earlier stages, this agent gains controlled access to:
Full source code
Targeted searches
Docker testing environments
Runtime validation
Instead of merely suggesting a theoretical vulnerability, the system attempts to create a functioning proof-of-concept exploit.
This moves beyond vulnerability detection into fully automated offensive security research.
The First Discovery: CVE-2026-3985
The first vulnerability uncovered by the pipeline became CVE-2026-3985.
Researchers identified a blind SQL injection affecting the Creative Mail WordPress plugin.
The plugin had accumulated over 300,000 installations, making the discovery particularly significant.
Although exploitation requires WooCommerce to also be installed, WooCommerce itself powers millions of WordPress websites worldwide, making the vulnerable combination relatively common.
Understanding the SQL Injection
SQL injection remains one of the most dangerous web application vulnerabilities.
When user input reaches database queries without sufficient protection, attackers can manipulate SQL statements.
Successful exploitation may allow attackers to:
Read confidential database records
Extract administrator password hashes
Steal authentication tokens
Obtain API credentials
Escalate privileges
Move laterally throughout an application
The discovered vulnerability required multiple carefully chained requests, making detection significantly more difficult than traditional SQL injection flaws.
A Hidden Development Mistake
One particularly interesting aspect of this vulnerability was that the application’s own static analysis tools failed to detect it.
A subtle coding mistake obscured the vulnerable execution path.
Human researchers might eventually discover such flaws after extensive manual auditing.
The AI pipeline located it automatically.
AI Successfully Generated a Working Exploit
Perhaps the most remarkable achievement
The exploitation agent successfully generated:
A proof-of-concept exploit
Validation logic
Database extraction procedures
Password hash retrieval methods
All without human intervention.
This demonstrates that modern AI can already automate portions of penetration testing previously considered dependent upon expert researchers.
Responsible Disclosure Remains Critical
Researchers responsibly disclosed the vulnerability.
The issue was independently discovered by another researcher from CleanTalk Inc. and reported through Wordfence.
Following disclosure, the affected plugin was removed from the official WordPress repository pending security review and patch development.
This highlights that responsible disclosure remains essential even as AI accelerates vulnerability discovery.
Why This Matters Beyond One WordPress Plugin
This research is not important because of a single SQL injection.
Its significance lies in proving an entirely new research methodology.
Traditional vulnerability discovery often requires:
Manual auditing
Reverse engineering
Deep software knowledge
Significant engineering time
AI now performs portions of this process automatically.
As these systems mature, researchers may investigate thousands of software projects simultaneously.
That fundamentally changes software security economics.
Deep Analysis: AI-Powered Vulnerability Research and Offensive Security Commands
The techniques demonstrated by Intruder combine static analysis with automated exploit development. Security researchers commonly use the following tools and commands during authorized security assessments to identify data flows, inspect code, and validate findings. These examples are intended for defensive research and testing in controlled environments.
Analyzing Source Code with Joern
joern-parse .
joern
importCode("project")
Generating a Code Property Graph
joern-export --repr cpg
Searching for SQL Query Functions
scala
cpg.call.name(.query.).l
Finding User-Controlled Input
scala
cpg.method.name(.ajax.).l
Tracing Function Calls
scala
cpg.call.callee.l
Scanning a WordPress Installation
wpscan --url https://target-site.com
Running Static Analysis
semgrep scan .
Launching a Local Docker Test Environment
docker compose up -d
Inspecting HTTP Requests
curl -X POST http://localhost/wp-admin/admin-ajax.php
Monitoring SQL Queries
mysql -u root -p SHOW PROCESSLIST;
Reviewing Application Logs
tail -f /var/log/apache2/access.log
Searching for Unsanitized Variables
grep -R "\$_POST" .
grep -R \$_GET .
Validating WordPress Plugins
wp plugin list
These tools illustrate how traditional static analysis can be combined with AI-assisted reasoning to streamline vulnerability research. While automation can significantly improve efficiency, every discovered issue should still undergo responsible verification and disclosure before public release.
What Undercode Say:
Artificial intelligence has officially crossed an important milestone in cybersecurity. This research proves that AI is no longer just assisting developers by generating code or explaining vulnerabilities. It is actively participating in vulnerability discovery, exploit development, and security validation.
The most impressive aspect of this project is not that an AI found SQL injection. Static analyzers have located similar flaws for years. The real breakthrough is the orchestration of multiple intelligent stages that mimic the workflow of experienced penetration testers.
The use of program slicing is arguably more valuable than the language models themselves. By dramatically reducing contextual noise, the researchers solved one of the biggest weaknesses of modern LLMs. Instead of making models larger, they made their input smarter.
This approach represents a shift from brute-force AI reasoning toward context-aware security engineering.
Attackers are almost certainly experimenting with comparable pipelines.
Unlike human researchers, automated systems never become tired, never lose focus, and can continuously scan thousands of repositories around the clock.
Organizations should assume that vulnerability discovery timelines will continue shrinking.
Software vendors may soon face zero-day discoveries within days of releasing new code.
Traditional annual penetration testing will increasingly become insufficient.
Continuous AI-assisted security validation is likely to become the new industry standard.
Defensive security platforms must evolve at the same pace.
Static analysis alone is no longer enough.
Dynamic analysis alone is no longer enough.
Manual penetration testing alone is no longer enough.
Future security strategies will combine:
Static code analysis
Runtime analysis
AI reasoning
Autonomous exploit validation
Continuous deployment security
Automated patch verification
Another important takeaway is the modular design of Intruder’s pipeline.
Rather than expecting a single AI model to perform every task, specialized agents each solve a narrow problem.
This architecture resembles modern distributed systems more than traditional AI workflows.
It is scalable.
It is efficient.
Most importantly, it reflects how experienced security teams already operate.
As reasoning models continue improving, fewer false positives should remain.
Multi-stage vulnerabilities that once required weeks of investigation may soon be discovered in hours.
Security researchers will shift from manually finding vulnerabilities toward supervising autonomous research systems.
The cybersecurity workforce is unlikely to disappear, but its role will evolve dramatically.
Experts will increasingly focus on validating AI findings, coordinating responsible disclosure, and designing stronger defensive architectures.
This research also serves as a warning for organizations relying solely on legacy vulnerability scanners.
Traditional signature-based detection cannot keep pace with AI-generated attack discovery.
Companies should invest in secure development practices, continuous code review, automated testing, and rapid patch management before adversaries fully weaponize these capabilities.
The race is no longer between hackers and defenders alone.
It is becoming a race between autonomous security systems on both sides.
✅ Verified: Intruder publicly described an AI-assisted vulnerability research pipeline that combines static code analysis with large language models to discover and validate software vulnerabilities.
✅ Verified: The disclosed vulnerability, CVE-2026-3985, affected the Creative Mail WordPress plugin and involved a blind SQL injection requiring specific deployment conditions, including the presence of WooCommerce.
✅ Verified with Context: The article accurately demonstrates that current AI models can significantly assist vulnerability research. However, the success depended on a carefully engineered pipeline using static analysis, program slicing, and automated testing—not on a standalone language model analyzing an entire codebase by itself.
Prediction
(+1) AI-assisted vulnerability research platforms will become a standard component of enterprise Secure Development Lifecycle (SDLC) pipelines, allowing organizations to identify complex vulnerabilities before software reaches production.
(-1) Cybercriminal groups will increasingly adopt similar AI-driven workflows to automate zero-day discovery, reducing the time between software releases and real-world exploitation, thereby intensifying pressure on vendors to deliver continuous security updates rather than periodic patches.
▶️ Related Video (76% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




