$20 per Zero-Day Is Already the WordPress Plugin Reality

The emergence of AI‑assisted vulnerability hunting marks a turning point for software security. By automating static code scans, containerized test environments, and dynamic verification, the TrendAI‑CHT pipeline proved that sophisticated exploits can be uncovered at unprecedented speed. Unlike earlier "AI slop" efforts that flooded researchers with low‑quality alerts, this system filtered out more than 80% of false positives before human review, demonstrating that intelligent orchestration can elevate both quantity and quality of findings.

Economically, the operation’s token consumption—about 222 million across 95 tasks—equates to roughly $20 per confirmed zero‑day. That figure shatters previous assumptions about the cost barrier for large‑scale exploit discovery. For attackers, the low entry price means even modestly funded groups can field hundreds of weaponized bugs, amplifying the threat landscape for the sprawling WordPress ecosystem. Defenders, meanwhile, must grapple with a surge of high‑impact disclosures that outpace traditional manual triage, prompting a shift toward automated remediation pipelines and more aggressive patch management.

The disclosure pipeline itself is now the bottleneck. Human analysts spend 30 to 60 minutes validating each vulnerability, a cadence that cannot scale with AI‑generated volumes. Consequently, programs such as ZDI and NIST are already feeling back‑log pressure, and industry insiders predict a move toward invite‑only or reputation‑based submission models. The long‑term remedy lies in “AI fighting AI”: deploying automated verification and prioritization tools on the receiving end to filter noise, reserve expert time for complex cases, and sustain a viable vulnerability‑management ecosystem as AI continues to lower the cost of discovery.