Does Royal MCP have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Royal MCP compatible with WordPress 7.0?

According to WordPress.org data, Royal MCP 1.4.3 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is Royal MCP compatible with PHP 7.4+?

Royal MCP requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Royal MCP updated?

Royal MCP was last updated on Apr 7, 2026. Frequent updates are generally a positive security signal.

What is Royal MCP's security score?

Royal MCP has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Royal MCP Security & Risk Analysis

wordpress.org/plugins/royal-mcp

The security-first MCP server for WordPress. Connect Claude, ChatGPT, and Gemini with API key auth, rate limiting, and activity logging.

500 active installs v1.4.3 PHP 7.4+ WP 5.8+ Updated Apr 7, 2026

ai-wordpressclaude-wordpressmcpwoocommerce-aiwordpress-ai-integration

A · Safe

CVEs total1

Unpatched0

Last CVEApr 21, 2026

Plugin page Download

Safety Verdict

Is Royal MCP Safe to Use in 2026?

Generally Safe

Score 99/100

Royal MCP has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 21, 2026Updated 1mo ago

Risk Assessment

The plugin "royal-mcp" v1.2.3 exhibits a mixed security posture. On the positive side, it demonstrates excellent practices regarding output escaping and avoids dangerous functions, file operations, and bundled libraries. The presence of nonce and capability checks for some entry points is also a good sign. However, a significant concern arises from the attack surface analysis. Three out of five identified entry points, specifically all three REST API routes, lack permission callbacks, leaving them open to unauthorized access and manipulation. Furthermore, the taint analysis reveals two flows with unsanitized paths, indicating a potential for input validation issues that could lead to vulnerabilities if exploited, even though no critical or high severity issues were flagged in this specific analysis. The plugin's clean vulnerability history is a strong positive, suggesting a generally well-maintained codebase and a proactive approach to security by the developers. Despite the clean history, the identified weaknesses in the attack surface and taint analysis warrant caution.

Key Concerns

REST API routes without permission callbacks
Flows with unsanitized paths
AJAX handlers without auth checks

Vulnerabilities

1 published

Royal MCP Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-40775medium · 5.3Missing Authorization

Royal MCP – Secure AI Connector for Claude, ChatGPT & Gemini <= 1.4.2 - Missing Authorization

Apr 21, 2026 Patched in 1.4.3 (10d)

Version History

Royal MCP Release Timeline

v1.4.11 CVE

v1.4.01 CVE

v1.3.01 CVE

v1.2.31 CVE

v1.2.21 CVE

Code Analysis

Analyzed Mar 16, 2026

Royal MCP Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

299 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared4 total queries

Output Escaping

100% escaped300 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

ajax_get_platform_fields (includes\Admin\Settings_Page.php:280)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Royal MCP Attack Surface

Entry Points5

Unprotected3

AJAX Handlers 2

authwp_ajax_royal_mcp_test_connectionincludes\Admin\Settings_Page.php:19

authwp_ajax_royal_mcp_get_platform_fieldsincludes\Admin\Settings_Page.php:20

REST API Routes 3

GET/wp-json/royal-mcp/v1/mcproyal-mcp.php:153

GET/wp-json/royal-mcp/v1/sseroyal-mcp.php:161

POST/wp-json/royal-mcp/v1/messagesroyal-mcp.php:169

WordPress Hooks 7

actionadmin_menuincludes\Admin\Settings_Page.php:13

actionadmin_initincludes\Admin\Settings_Page.php:14

actionadmin_enqueue_scriptsincludes\Admin\Settings_Page.php:15

filteradmin_footer_textincludes\Admin\Settings_Page.php:16

actionplugins_loadedroyal-mcp.php:67

actionrest_api_initroyal-mcp.php:68

actionrest_api_initroyal-mcp.php:69

Maintenance & Trust

Royal MCP Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedApr 7, 2026

PHP min version7.4

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs500

Alternatives

Royal MCP Alternatives

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server

stifli-flex-mcp

100

AI Copilot for the WordPress editor, AI Chat Agent for full site management & MCP server for external AI clients. OpenAI, Claude & Gemini.

900 No CVEs

AIKO – AI Developer Lite

aiko-developer-lite

100

A plugin that makes other plugins.

6K No CVEs

Notification for Telegram

notification-for-telegram

Sends notifications to Telegram users or groups, when some events occur in WordPress.

4K 4 CVEs

BotWriter – AI Writer & Content Generator

botwriter

100

AI Writer & content generator for WordPress & WooCommerce. Auto blogging, AI writing plugin, product descriptions and SEO content.

2K No CVEs

AI

100

AI features, experiments and capabilities for WordPress.

1K No CVEs

Developer Profile

Royal MCP Developer Profile

Royal Plugins

4 plugins · 500 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

10 days

View full developer profile

Detection Fingerprints

How We Detect Royal MCP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/royal-mcp/includes/Admin/js/settings-page.js/wp-content/plugins/royal-mcp/includes/Admin/css/settings-page.css

Script Paths

/wp-content/plugins/royal-mcp/includes/Admin/js/settings-page.js

HTML / DOM Fingerprints

CSS Classes

royal-mcp-settings-pageroyal-mcp-log-tableroyal-mcp-platform-field

HTML Comments

Data Attributes

data-royal-mcp-ajax-urldata-royal-mcp-nonce

JS Globals

RoyalMCPConfig

REST Endpoints

/royal-mcp/v1/mcp/royal-mcp/v1/sse/royal-mcp/v1/messages

FAQ

Royal MCP Security & Risk Analysis

Is Royal MCP Safe to Use in 2026?

Generally Safe

Key Concerns

Royal MCP Security Vulnerabilities

CVEs by Year

Severity Breakdown

Royal MCP Release Timeline

Royal MCP Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Royal MCP Attack Surface

AJAX Handlers 2

REST API Routes 3

Royal MCP Maintenance & Trust

Maintenance Signals

Community Trust

Royal MCP Alternatives

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server

AIKO – AI Developer Lite

Notification for Telegram

BotWriter – AI Writer & Content Generator

AI

Royal MCP Developer Profile

How We Detect Royal MCP

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Royal MCP