CVE-2026-3985 — a blind SQL injection in the Creative Mail WordPress plugin — was the first zero-day this automated pipeline “vended,” capable of extracting password hashes and secret tokens from a live database.
Intruder's pipeline: Joern, program slices, Sonnet and Opus
The team at Intruder built an automated chain that starts with a code-scanning engine and ends with a working exploit. Their pipeline uses Joern to scan a codebase, generates targeted program slices for each finding, and then hands those slices to a sequence of language models for triage, assessment, and exploitation. The system deliberately errs on loose detection rules in Joern to create many high-signal candidates, then relies on models to filter false positives.
The slicing step is key: rather than feeding an entire repository to a model, the pipeline extracts the function called by a hook and every method it calls down the chain. Intruder calls this a program slice — analogous to IDE or LSP features such as “find implementation” or a call graph — and uses basic taint-tracking to rule out trivially safe flows before involving models.
Why whole-codebase LLM scans fail — and how slicing fixes focus
Intruder’s engineers argue that pointing a large language model at an entire codebase dilutes context and accuracy. A model ingesting thousands of files can quickly fill its token window with irrelevant code, burying the real bug in noise. By contrast, slices present a compact, relevant context to the model so it can reason across multiple chained steps without hunting through unrelated source.
The design was inspired by nooperator’s work on Slice, but Intruder chose Joern over CodeQL and adapted the slicing algorithm for the specific vulnerability classes they targeted. They also used a lightweight triage model (Sonnet) to discard obviously uninteresting hooks before passing candidates to a heavier model (Opus) for exploitability assessment.
The bug: CVE-2026-3985 in Creative Mail and why it mattered
The pipeline produced CVE-2026-3985, a blind SQL injection in the Creative Mail plugin. The vulnerability was notable for several reasons highlighted by Intruder:
- High impact — it can grant an attacker read access to the database, including admin hashes and secret tokens.
- Multi-stage exploitation — the exploit requires chaining several requests, a pattern that can evade many traditional tools.
- Hidden from vendor tooling — the root cause escaped the plugin developer’s static analysis because of a coding mistake that obscured the flow.
Exploitation requires WooCommerce to be installed alongside Creative Mail; Intruder noted WooCommerce’s prevalence in the WordPress ecosystem by pointing out it has over 7 million active installs. The Creative Mail plugin itself was described as having over 300,000 users. The vulnerability was also independently discovered by Dmitrii Ignatyev of CleanTalk Inc., who reported it to Wordfence. Creative Mail was pulled from the WordPress store pending review; Intruder advised users running Creative Mail with WooCommerce to disable the plugin until a patch is available.
Automated exploitation: Dockerized agents and live testing
Anything the models judged exploitable was passed to a final exploitation agent. That agent can access full source again, run targeted searches for relevant code, and spin up a Docker container running the software to develop and test an exploit. In the Creative Mail case, the exploitation agent produced a one-shot proof-of-concept and a full extraction method capable of pulling password hashes from the database.
Intruder describes the whole end-to-end flow as automated “with no human in the loop,” using current, pre-Mythos models. They reported further vulnerabilities to affected vendors — those findings remain under disclosure — and convert surfaced issues into detection checks within the Intruder scanning platform so future scans will flag the same bugs.
What this means for security teams, WordPress plugin authors, and attackers
- Security teams: Intruder positions its AI pentesting agents as a way to deliver manual-engagement depth on demand, with audit-ready reports in hours and the ability to test with every release to shorten windows of exposure.
- WordPress plugin authors and vendors: The Creative Mail case shows that developer static analysis can miss chained, multi-request flaws; maintainers should consider targeted slicing and dynamic testing approaches and heed the immediate mitigation advice (disable Creative Mail when paired with WooCommerce) until patches arrive.
- Attackers and defenders both: Intruder warns that attackers are already using similar tooling to feed AI high-signal input, so the speed advantage demonstrated by this vending pipeline is not unique to defenders — detection must keep pace with automated discovery and exploitation.
Intruder’s experiment demonstrates a concrete shift: AI-assisted tooling, when paired with program slicing and targeted dynamic testing, can surface and exploit complex, real-world vulnerabilities in heavily scrutinized code. The next steps are practical ones — vendors patching disclosed bugs, defenders integrating generated checks into scanning platforms, and the broader community deciding how to balance automation’s speed against detection and remediation capabilities.




