The Feature That Became a Target
WordPress 7.0 'Armstrong,' released May 20, 2026, shipped the most ambitious update in WordPress history: a full AI agent infrastructure. WP AI Client provides a unified interface to Claude, Gemini, and GPT. The Connectors API stores API keys. The Abilities API exposes site operations to AI models. And a WordPress MCP Adapter lets AI coding agents manage WordPress installations directly.
Within two days, Patchstack founder Oliver Sild published the warning that the security community was already thinking: 'WordPress 7.0 combined with plugin vulnerabilities equals free AI tokens. There will be an absolute rush by hackers to steal API keys.' The keys sit in wp_options — the same database table that every SQL injection vulnerability in WordPress history has targeted.
The $20 Zero-Day Assembly Line
Simultaneously, researchers demonstrated that AI-powered vulnerability scanning could find WordPress zero-days at industrial scale and negligible cost. 300+ critical vulnerabilities discovered in 72 hours. Average cost per zero-day: approximately $20 in compute time. Categories found: pre-authentication remote code execution, SQL injection hidden behind PHPCS annotations, privilege escalation through WordPress hooks, server-side request forgery, and downgrade attack chains.
The math is devastating. WordPress 7.0 stores high-value API keys in the same database accessible through the same vulnerability classes that AI scanners can now discover for $20 each. The attack surface expanded. The cost to exploit it collapsed. Both happened in the same month.
The SiteGround Distribution Problem
SiteGround, one of the largest WordPress hosting providers, pushed its AI Agent plugin across its entire hosting network. Over 1 million installations — not through user choice, but through automatic distribution as part of hosting infrastructure. Site owners who never asked for AI agent capabilities received them. Their sites now store API keys, expose MCP endpoints, and present attack surfaces that didn't exist before the hosting provider's update.
This is the WordPress distribution model working as designed. The same automatic update mechanism that pushes security patches also pushes new attack surface. The same hosting provider trust that keeps sites patched also enrolls them in AI agent experiments.
The Convergence WebPulse Predicted
WebPulse has been tracking two independent crisis vectors: WordPress's security architecture (18,005 CVEs, 11,334 new vulnerabilities in 2025, 5-hour median exploitation window) and the rise of AI agents as the dominant web consumers (57.5% bot traffic, 1,000x page multiplication). WordPress 7.0 merged them into a single attack surface.
A WordPress site with the Connectors API enabled is simultaneously: a target for traditional web exploitation (SQL injection, plugin vulnerabilities), a source of high-value AI API keys (worth actual money on underground markets), and an MCP endpoint that AI agents can discover and interact with. Three attack surfaces on one CMS.
The frameworks that don't store API keys in databases — because they don't have databases — don't have this problem. Hugo generates static HTML. Astro generates static HTML. Neither stores secrets in a SQL-injectable table. In the AI agent era, the architectural decision that matters most is whether your framework stores valuable credentials in a place attackers already know how to reach.
