
Automated System for Reverse-Engineering WordPress Plugin CVEs Using AI
The video demonstrates an automated system for reverse-engineering WordPress plugin CVEs by analyzing publicly available patches. The presenter, NahamSec, built an AI agent that daily fetches critical WordPress CVEs (CVSS ≥6), compares vulnerable and patched code via diff analysis, and generates proof-of-concept (PoC) exploits alongside Nuclei templates. The workflow integrates Cloud Code (Anthropic’s Claude) as the processing engine and Zapier MCP as the automation layer, connecting GitHub for repository updates and Google Sheets for backup. The system targets WordPress plugins exclusively, leveraging Patchstack’s vulnerability database to identify affected versions and download source code from WordPress.org. A sample PoC confirmed unauthenticated SSRF with response reflection, illustrating the tool’s ability to extract attack vectors from code changes. The entire setup, including skills for diff analysis and report generation, is open-source and designed to scale via scheduled tasks. The video emphasizes WordPress as a training ground for broader CVE-reversing techniques applicable to closed-source targets.