| 开发者 | bilalnaseer |
|---|---|
| 更新时间 | 2026年7月13日 14:50 |
| PHP版本: | 7.4 及以上 |
| WordPress版本: | 7.0 |
| 版权: | GPL-2.0-or-later |
| 版权网址: | 版权信息 |
Authorization: Bearer or X-WSP-MCP-API-Key).manage_woocommerce capability)
manage_options; value tools enforce per-object capabilities)
/wp-content/plugins/ and activate it.No. This plugin includes its own MCP server and connects directly. As of v2.2 the older MCP Adapter / Abilities-API compatibility path has been removed; connect using the native endpoint shown on MCP > Connection.
Use a WordPress Application Password (sent via HTTP Basic auth) or the plugin-generated API key shown on the Connection page. Either is validated on every request, and tool actions are limited by the authenticated user's capabilities.
Any client that supports the Streamable HTTP MCP transport — Claude Desktop, MCP Inspector, IDEs, and scripts.
update_field() — for posts, users, terms, and options — is now recursively sanitized (arrays walked; each string run through wp_kses_post()) so <script>/<style> and inline event handlers can no longer be stored through the MCP tools. Legitimate WYSIWYG/HTML field content still works. Addresses the WordPress.org "arbitrary code insertion" review finding.~/.config/opencode/opencode.json file with the API key inlined in the header, ready to create and paste.wp_kses_post() so scripts cannot be injected via _elementor_data.manage_options (was edit_posts), matching the admin-level nature of global options.wsp_register_acf_abilities() dual-mode registration helper (dead code, not hooked).Requires at least now uses the major-only WordPress version format (6.9).manage_options; value reads/writes enforce per-object capabilities (edit_post, edit_user, list_users, manage_categories, manage_options).wsp-mcp-ai-agents-connector (folder, main file, and text domain) to match the public name ahead of WordPress.org submission.manage_woocommerce capability.