← Back to Security Blog
📅 2026-03-12 ⏱ 10 min read AI Security Research Vulnerability

AI Browser Agents Hacked in Under 4 Minutes — Agentic Blabbering, WordPress SQLi & n8n RCE Exploited in the Wild

Perplexity's Comet AI browser was tricked into a phishing scam in under four minutes. A critical WordPress SQLi hits 250K+ sites. CISA orders emergency patches for actively exploited n8n RCE. The attack surface of autonomous AI tools is expanding faster than defenses.


🤖 AI Agents: The New Attack Vector

⚠️ CRITICAL — AI Browser Agents Vulnerable to Social Engineering

Researchers at Guardio demonstrated that Perplexity's Comet AI browser — designed to autonomously navigate the web on behalf of users — can be tricked into entering credentials on phishing pages in under four minutes. The technique exploits a fundamental weakness they call "Agentic Blabbering."

What Is Agentic Blabbering?

Agentic web browsers powered by AI don't just click links — they reason aloud about what they see, what they believe is happening, and what they plan to do next. This internal narration, when intercepted by a malicious page, becomes a weapon. Attackers can read the agent's reasoning, understand its security assessments in real time, and craft responses that systematically disarm its defenses.

"The AI now operates in real time, inside messy and dynamic pages, while continuously requesting information, making decisions, and narrating its actions along the way," explained Guardio researcher Shaked Chen. "This is what we call Agentic Blabbering: the AI Browser exposing what it sees, what it believes is happening, what it plans to do next, and what signals it considers suspicious or safe."

The 4-Minute Exploit Chain

  1. Bait page: Attacker creates a page that looks like a legitimate service requiring login
  2. Reasoning interception: The malicious page reads the AI agent's internal reasoning about whether the page is safe
  3. Adaptive persuasion: Based on the agent's expressed concerns, the page dynamically adjusts its legitimacy signals
  4. Credential entry: The AI agent, now convinced the page is safe, enters the user's stored credentials

The entire attack — from first page load to credential theft — took under four minutes with no human interaction required.


🔓 WordPress SQLi: 250K+ Sites at Risk

Elementor Ally Plugin Vulnerability

A critical SQL injection vulnerability has been discovered in Ally, a WordPress accessibility plugin from Elementor with more than 400,000 installations. The flaw (not yet assigned a CVE) allows unauthenticated attackers to extract sensitive data from the WordPress database — including admin credentials, user data, and configuration secrets.

Impact: Any WordPress site running the Ally plugin is potentially vulnerable. The attack requires no authentication and can be executed remotely. At least 250,000 sites confirmed using vulnerable versions.

Recommended Actions


🚨 n8n RCE: CISA Orders Emergency Patching

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to patch a remote code execution vulnerability in n8n, the popular open-source workflow automation platform. The flaw is being actively exploited in the wild.

n8n is widely used in enterprise environments for workflow automation, integrating hundreds of services including Slack, GitHub, databases, and cloud platforms. A successful RCE exploit gives attackers full control over the n8n server and access to all connected service credentials.

Why This Matters for AI-Driven Organizations

n8n is increasingly used as the orchestration layer for AI agent workflows. If your AI agents use n8n to chain actions across services, a compromised n8n instance means every connected service is compromised — including your AI models, data pipelines, and customer-facing APIs.


🔍 The Expanding Attack Surface of Autonomous AI

Three Converging Threats

Today's three stories share a common thread: autonomous AI tools are creating attack surfaces faster than security teams can map them.

Threat Vector Tool Category Risk Level Impact
Agentic Blabbering AI Browsers CRITICAL Credential theft via AI reasoning exploitation
Plugin SQLi CMS Plugins CRITICAL Unauthenticated database exfiltration
Automation RCE Workflow Engines CRITICAL Full server + credential compromise

What Security Teams Must Do Now

  1. Inventory all AI agents — Know every autonomous tool that can act on behalf of your organization
  2. Limit AI agent permissions — Apply least-privilege to AI browsers, workflow engines, and automation tools
  3. Monitor AI agent behavior — Log and audit what AI agents access, submit, and connect to
  4. Patch automation platforms — n8n, Zapier alternatives, and custom orchestration layers must be patched within 24 hours of CVE disclosure
  5. Scan for plugin vulnerabilities — WordPress, CMS plugins, and SaaS integrations are the #1 entry point

Scan Your Attack Surface Before AI Agents Expand It

KENSAI continuously maps your external attack surface — APIs, plugins, AI integrations — and identifies vulnerabilities before autonomous agents or attackers exploit them.

Start Free Scan

Stay secure,
The KENSAI Security Research Team

Daily security briefings powered by AI threat intelligence. Updated every weekday.

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

Related Articles

Forum InCyber 2026 startet Cybersicherheits-Qualifizierungsoffensive, EU-Parlame Fausses alertes VS Code sur GitHub propagent des malwares, Un groupe pro-iranien Google corregge il 4° zero-day Chrome 2026, APT cinese sfrutta zero-day TrueConf