| 开发者 | fabiomontenegro1987 |
|---|---|
| 更新时间 | 2026年7月13日 23:03 |
| 捐献地址: | 去捐款 |
| PHP版本: | 8.0 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPLv2 or later |
| 版权网址: | 版权信息 |
show_in_rest and mcp.public metadataYes. This plugin requires WordPress 6.9+ (which includes the Abilities API) and the MCP Adapter plugin to connect abilities with AI assistants like Claude.
Yes. On first activation, all abilities are enabled. You can disable any of them from Settings > WP Abilities.
Write abilities respect WordPress capabilities. For example, creating a post requires the publish_posts capability, and editing checks per-post permissions. The MCP user must have the appropriate WordPress role.
Yes. The plugin can be network-activated. Each site in the network has its own ability configuration.
Yes. The Custom Post Types section automatically detects WooCommerce products, orders, coupons, and any other registered post type. You can list, create, update, and delete items with full access to WooCommerce meta fields like _price, _sku, _stock_status, _regular_price, and more.
This plugin registers abilities using the standard wp_register_ability() API. You can register additional abilities in your own plugin using the wp_abilities_api_init hook.
ewpa/get-post, ewpa/get-page, and ewpa/get-cpt-item now enforce a per-post visibility check (current_user_can( 'read_post', $id )) in their permission_callback, instead of only the site-wide read capability. Previously a low-privilege user authenticating via Application Passwords could read drafts, private, or password-protected content of other authors by ID (IDOR). Not exploitable via the Bearer token (which authenticates as an administrator). Reported by Hardik (hnanda21).ewpa_filter_core_abilities() wrapper closure now uses $input = null and calls $original() vs $original($input) conditionally — fixes ArgumentCountError on core/get-user-info and core/get-environment-info (PHP 8.4), which have no input_schema and are invoked with zero arguments by WP_Ability::invoke_callback(). core/get-site-info was unaffected because it declares an input schema. Same root cause as the v2.0.14 fix for ewpa_register_ability_with_log().ewpa_authenticate_api_key() now uses a static re-entry guard ($resolving) to prevent infinite recursion when user_can() inside ewpa_validate_api_key() triggers map_meta_cap. Plugins like Yoast SEO hook map_meta_cap and call wp_get_current_user() from within it, re-entering the determine_current_user filter and causing unbounded recursion (PHP fatal / HTTP 500). Reproduced with Yoast SEO + WPML String Translation active.ewpa/je-update-options-page-field now supports repeater fields — pass an array of row objects where each key matches a sub-field name. ewpa/je-get-options-page now returns repeater_fields (name, title, type) for repeater fields so the AI can inspect the expected row structure before writing.ewpa/je-list-options-pages lists all registered options pages with their field schema; ewpa/je-get-options-page returns field values for a given slug; ewpa/je-update-options-page-field writes a single field value with blocklist protection (html, tab, accordion, endpoint types are blocked). Both list and get abilities are enabled by default; update is off by default. Requires JetEngine with the Options Pages module enabled.ewpa_register_ability_with_log() wrapper closure now uses $input = null (optional parameter) so abilities without an input_schema are not broken by PHP 8.4's ArgumentCountError when WP_Ability::invoke_callback() calls them with zero arguments.ewpa/update-post, ewpa/create-post, ewpa/create-page, ewpa/create-cpt-item, ewpa/update-cpt-item, ewpa/search-replace, and ewpa/tec-update-event now use wp_slash() instead of wp_kses_post() on post content before passing to wp_insert_post() / wp_update_post(). This prevents double-unslashing that corrupted JSON Unicode escapes (e.g. < → u003c) in Gutenberg block attributes such as Yoast FAQ questions. KSES is now applied by WordPress via the content_save_pre filter, which correctly respects unfiltered_html capability — allowing admins to save <script type="application/ld+json"> inside wp:html blocks without stripping.ewpa/create-code-snippet ability — creates a PHP snippet via the Code Snippets plugin (2.x or 3.x). Snippet is always saved as inactive; activation requires a manual step from wp-admin. Validates PHP syntax via token_get_all( TOKEN_PARSE ), blocks dangerous functions (eval, exec, shell_exec, system, passthru, popen, proc_open, base64_decode, file_put_contents, unlink, chmod), and fires ewpa_after_create_code_snippet for audit. Requires manage_options.ewpa/create-code-snippet ability — creates a PHP snippet via the Code Snippets plugin (2.x or 3.x). Snippet is always saved as inactive; activation requires a manual step from wp-admin. Validates PHP syntax via token_get_all( TOKEN_PARSE ), blocks dangerous functions (eval, exec, shell_exec, system, passthru, popen, proc_open, base64_decode, file_put_contents, unlink, chmod), and fires ewpa_after_create_code_snippet for audit. Requires manage_options.ewpa/update-post-meta no longer applies sanitize_text_field() to meta_value — allows storing HTML, CSS, and JavaScript content without corruptionewpa/update-post-meta, ewpa/update-cpt-item, and ewpa/create-cpt-item now call wp_slash() before update_post_meta() — preserves backslashes in values received via the REST API, which update_post_meta() internally strips via wp_unslash()ewpa/update-rankmath-schema — added missing permission_callback required by WP_Ability; absence caused a PHP notice on every page load and prevented the ability from registering correctlyewpa/update-rankmath-schema now correctly discoverable by MCP adapters — added additionalProperties: true to the schema_data input parameter so WordPress accepts the object schema during ability registrationewpa/update-rankmath-schema ability — writes a structured-data schema block (FAQPage, Article, Product, VideoObject, etc.) to a Rank Math schema meta key as a PHP-serialized array, so Rank Math renders it as JSON-LD in <head>; supports 20 schema typesewpa/update-post-meta now blocks rank_math_schema_* keys and returns a clear error directing users to ewpa/update-rankmath-schema instead — prevents PHP fatal errors caused by storing raw JSON strings in a field that Rank Math expects to hold PHP-serialized arraysewpa/get-active-plugins utility ability — returns all active plugins with name, version, and detected capabilities (SEO, multilanguage, WooCommerce, Events Calendar)ewpa/set-post-language assigns a language code to an existing post via Polylang or WPMLewpa/link-post-translation links two posts as translations of each other in the same translation group via Polylang or WPMLewpa/get-post-translations returns the full translation map for a post: language code, post ID, title, permalink, and status for each available translation via Polylang or WPMLlanguage and translation_of parameters added to ewpa/create-post — set the language and link a translation group in a single call when Polylang or WPML is activeewpa_get_translation_plugin() helper — detects the active multilanguage plugin (polylang, wpml, or empty string)properties key — prevents PHP Cannot use object of type stdClass as array error in WordPress schema validationewpa/get-post-meta utility ability — reads any single post meta field by exact key; returns the value and a found flag indicating whether the key exists; companion to ewpa/update-post-metaewpa_after_update_post_meta action hook — fires after every ewpa/update-post-meta write with ($post_id, $meta_key, $meta_value); SEO plugins can use it to flush their internal meta cache (e.g. TSF, AIOSEO)'label' instead of 'name' — resolves PHP notices from WP_Abilities_Registry::register on every page load'execute_callback' instead of 'callback' — abilities were registered but never executed'woocommerce' and 'tec' categories now registered in ewpa_register_ability_categories() — abilities now appear correctly in the Abilities ExplorerEWPA_VERSION constant corrected to match plugin header version (was stuck at 2.0.2)ewpa/get-seopress reads SEO title, description, focus keyword, canonical URL, robots (noindex/nofollow/noarchive/noimageindex/nosnippet), Open Graph, and Twitter Card for any post or pageewpa/update-seopress updates any combination of those fields; only provided fields are modifiedewpa/yoast-get-seo reads SEO title, description, focus keyphrase, canonical URL, robots (noindex/nofollow/advanced), Open Graph, and Twitter Cardewpa/yoast-update-seo updates any combination of those fields; only provided fields are modifiedewpa/yoast-get-sitemap-index fetches and parses the Yoast sitemap index, returning all registered sitemap URLs with last modification datesewpa/update-post-meta utility ability — writes any post meta field by exact key; useful for SEO plugins or custom fields not covered by dedicated sections; protected against internal WP keys via blocklist (filterable with ewpa_blocked_meta_keys)get-post, get-page, create-post, update-post, create-page, and update-page now auto-detects the active SEO plugin (Rank Math, Yoast SEO, The SEO Framework, SEOPress, AIOSEO) instead of writing to both Yoast and Rank Math keys simultaneouslyPRIMARY KEY SQL formatted for dbDeltaewpa_log_activity() is self-healing — auto-creates table on first failed insert, no manual intervention requiredstatus (was post_status) across ewpa/get-posts, ewpa/get-pages, and ewpa/get-cpt-items for consistency with write abilitiesewpa_bearer_enabled and ewpa_db_version options (previously leaked on uninstall)nav-tab classes — resolves broken button styling on sites where themes or plugins override default button CSSdocument.readyState guard — tabs and toggle now work correctly on sites with optimization plugins (WP Rocket, LiteSpeed, etc.) that defer or combine scriptsphpcs.xml ruleset updated — WooCommerce and The Events Calendar custom capabilities declaredincludes/activity-log.php — table management, logging helpers, and AJAX clear handlerplugins_loaded hook — no reactivation neededincludes/auth.php module with authentication logic@unlink() with wp_delete_file() for proper file deletionuser_email with user_login in user listing ability to prevent email exposureshow_in_rest => true to all custom abilities meta (required for REST API and MCP discovery)wp_abilities_api_categories_init hook