WordPress.org
Get WordPress

Plugin Directory

Changeset 3490170


Ignore:
Timestamp:
03/24/2026 03:25:57 PM (12 days ago)
Author:
vinsmach
Message:

Version 1.3.2: security fixes, rate limiting, fix PHP syntax error

Location:
webmcp-bridge/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • webmcp-bridge/trunk/readme.txt

    r3490158 r3490170  
    11=== WebMCP Bridge ===
    2 Contributors: vinsmach, mescio
     2Contributors: vinsmach
    33Tags: ai, mcp, webmcp, ai-agent, woocommerce
    44Requires at least: 6.0
    55Tested up to: 6.9
    6 Stable tag: 1.3.1
     6Stable tag: 1.3.2
    77Requires PHP: 8.0
    88License: GPLv2 or later
     
    135135== Changelog ==
    136136
     137= 1.3.2 =
     138* Fixed PHP syntax error in sanitize_markdown() regex (inline event handler pattern)
     139* All PHP files pass WordPress.org pre-commit syntax check
     140
    137141= 1.3.1 =
    138 * Security: sanitize Markdown output in get_markdown_content and get_llms_txt before returning to agent — prevents stored XSS / prompt injection via post content
     142* Security: sanitize Markdown output in get_markdown_content and get_llms_txt — prevents stored XSS and prompt injection via post content
     143* Removed admin_email from get_site_info response — not needed by agents, sensitive data
     144* Removed author display_name from get_post response — exposes internal WordPress usernames
     145* Added global rate limiting on /execute endpoint (default: 120 calls/60s, configurable in settings)
     146* Rate limit is global (not per-IP) — effective against proxy rotation attacks; returns HTTP 429
     147
     148= 1.3.0 =
     149* Removed admin_email from get_site_info — sensitive data not needed by agents
     150* Removed author field from get_post — avoids exposing internal WordPress usernames
     151* Added global rate limiting on /execute: configurable max calls per time window in settings
     152* Rate limit counter uses WP transients; returns HTTP 429 when exceeded
     153* Rate limit and window now editable from Settings → WebMCP Bridge
    139154
    140155= 1.2.0 =
     
    172187== Upgrade Notice ==
    173188
     189= 1.3.2 =
     190Security and stability patch. Sanitizes Markdown output to prevent prompt injection, removes sensitive data from responses, adds rate limiting. Recommended update for all users.
     191
    174192= 1.1.0 =
    175193Adds Mescio for Agents integration and fixes tool filtering in the manifest. Recommended update for all users.

  • webmcp-bridge/trunk/webmcp-bridge.php

    r3490158 r3490170  
    44 * Plugin URI:        https://wordpress.org/plugins/webmcp-bridge/
    55 * Description:       Exposes WordPress functionality as WebMCP tools so AI agents can interact with your site natively in the browser — no backend MCP server required.
    6  * Version:           1.3.1
     6 * Version:           1.3.2
    77 * Requires at least: 6.0
    88 * Requires PHP:      8.0
     
    1717if ( ! defined( 'ABSPATH' ) ) exit;
    1818
    19 define( 'WEBMCP_BRIDGE_VERSION', '1.3.1' );
     19define( 'WEBMCP_BRIDGE_VERSION', '1.3.2' );
    2020define( 'WEBMCP_BRIDGE_DIR', plugin_dir_path( __FILE__ ) );
    2121define( 'WEBMCP_BRIDGE_URL', plugin_dir_url( __FILE__ ) );
Note: See TracChangeset for help on using the changeset viewer.