WordPress MCP
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: wordpress-mcp Version: 3.3.4 This skill bundle is classified as suspicious due to the exposure of highly privileged and dangerous capabilities that could lead to Remote Code Execution (RCE) and SQL Injection (SQLi) if misused or exploited. Specifically, the `references/dev-tools.md` and `references/features.md` files document tools like `wp_theme_put_file`, `wp_plugin_put_file` (allowing arbitrary file write to theme/plugin directories) and `wp_db_query` (allowing direct execution of SQL queries). While these tools are presented as intended for WordPress management and development, their power makes them critical vulnerabilities if the AI agent's input is not rigorously sanitized, enabling an attacker to compromise the target WordPress site. There is no evidence of intentional malicious prompt injection against the agent, unauthorized data exfiltration, or obfuscation within the skill bundle itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad agent action could break a WordPress site, delete or publish content, change settings, alter code, or mutate business data.
The skill documents powerful administrative and escape-hatch capabilities that can alter site code, database contents, and arbitrary REST resources. These are disclosed and opt-in, but they are high-impact and not comprehensively bounded by approval or rollback guidance.
| **Plugins** | Off | Install, activate, update, and modify plugins | ... | **Database** | Off | Execute SQL queries on the WordPress database | ... | **Dynamic REST** | Off | Raw access to WordPress REST API |
Enable only the MCP feature groups you actually need. Require explicit user confirmation and backups before plugin/theme edits, database writes, raw REST calls, deletes, publishes, refunds, stock changes, or user/account changes.
Anyone or any agent workflow with access to that token could perform the enabled WordPress MCP actions for the site.
The bearer token is the credential used to authorize MCP actions, and the skill recommends storing it persistently in a local agent-readable file. The artifacts do not describe token scoping, least privilege, file protection, or rotation.
A **Bearer Token** set in MCP settings ... Connection details should be stored in the user's `TOOLS.md`: ... **Bearer Token:** <token from AI Engine MCP settings>
Use a dedicated, least-privileged token or account if supported, keep TOOLS.md private, avoid sharing it in prompts or logs, and rotate/revoke the token if exposure is suspected.
If the endpoint is wrong, insecure, or shared, commands or sensitive WordPress data could go to the wrong place.
The skill uses JSON-RPC over HTTP to a user-configured MCP endpoint with bearer authentication. This is expected for the purpose, but it means site data and administrative commands flow through that endpoint.
curl -s -X POST <MCP_URL> \ -H "Authorization: Bearer <TOKEN>" \ -H "Content-Type: application/json"
Verify the MCP URL and domain, use HTTPS, keep separate tokens per site, and avoid using this with untrusted WordPress installations.