Does StifLi Flex MCP – AI Chat Agent and MCP Server have any unpatched vulnerabilities?

No. All known vulnerabilities in StifLi Flex MCP – AI Chat Agent and MCP Server have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is StifLi Flex MCP – AI Chat Agent and MCP Server compatible with WordPress 6.9.4?

According to WordPress.org data, StifLi Flex MCP – AI Chat Agent and MCP Server 2.2.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is StifLi Flex MCP – AI Chat Agent and MCP Server compatible with PHP 7.4+?

StifLi Flex MCP – AI Chat Agent and MCP Server requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is StifLi Flex MCP – AI Chat Agent and MCP Server updated?

StifLi Flex MCP – AI Chat Agent and MCP Server was last updated on Mar 6, 2026. Frequent updates are generally a positive security signal.

What is StifLi Flex MCP – AI Chat Agent and MCP Server's security score?

StifLi Flex MCP – AI Chat Agent and MCP Server has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

StifLi Flex MCP – AI Chat Agent and MCP Server Security Review

Safety Verdict

Is StifLi Flex MCP – AI Chat Agent and MCP Server Safe to Use in 2026?

Generally Safe

Score 100/100

StifLi Flex MCP – AI Chat Agent and MCP Server has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 28d ago

Risk Assessment

The stifli-flex-mcp v2.2.0 plugin demonstrates a generally strong security posture based on the provided static analysis. A significant strength is the complete absence of unprotected AJAX handlers and REST API routes, indicating robust authorization checks at all entry points. The high percentage of SQL queries using prepared statements and properly escaped output further suggests good coding practices aimed at preventing common vulnerabilities like SQL injection and Cross-Site Scripting (XSS). The plugin also implements a substantial number of nonce and capability checks, reinforcing its security.

However, the taint analysis reveals some areas for concern. Seven flows with unsanitized paths have been identified, all categorized as high severity. While there are no critical taint flows or raw SQL queries, these high-severity unsanitized paths represent a significant risk. They suggest potential avenues for attackers to manipulate file paths or other sensitive input, which could lead to unintended consequences or data exposure, even if the direct impact is not immediately critical. The plugin's history of zero known CVEs is a positive indicator, suggesting a lack of publicly disclosed vulnerabilities, but it should not lead to complacency given the identified taint issues.

In conclusion, stifli-flex-mcp v2.2.0 has a solid foundation with strong authentication and authorization. The primary weakness lies in the high-severity taint flows indicating potential path traversal or similar vulnerabilities. Addressing these specific taint flows should be the immediate priority to improve the plugin's overall security.

Key Concerns

High severity unsanitized paths in taint analysis

Vulnerabilities

None known

StifLi Flex MCP – AI Chat Agent and MCP Server Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

StifLi Flex MCP – AI Chat Agent and MCP Server Code Analysis

Dangerous Functions

0

Raw SQL Queries

23

168 prepared

Unescaped Output

172

851 escaped

Nonce Checks

54

Capability Checks

68

File Operations

11

External Requests

20

Bundled Libraries

0

SQL Query Safety

88% prepared191 total queries

Output Escaping

83% escaped1023 total outputs

Data Flows

7 unsanitized

Data Flow Analysis

25 flows7 with unsanitized paths

ajax_toggle_task (client\class-automation-admin.php:925)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

StifLi Flex MCP – AI Chat Agent and MCP Server Attack Surface

Entry Points53

Unprotected0

AJAX Handlers 53

authwp_ajax_sflmcp_automation_get_tasksclient\class-automation-admin.php:38

authwp_ajax_sflmcp_automation_save_taskclient\class-automation-admin.php:39

authwp_ajax_sflmcp_automation_delete_taskclient\class-automation-admin.php:40

authwp_ajax_sflmcp_automation_toggle_taskclient\class-automation-admin.php:41

authwp_ajax_sflmcp_automation_run_taskclient\class-automation-admin.php:42

authwp_ajax_sflmcp_automation_test_promptclient\class-automation-admin.php:43

authwp_ajax_sflmcp_automation_test_startclient\class-automation-admin.php:44

authwp_ajax_sflmcp_automation_test_stepclient\class-automation-admin.php:45

authwp_ajax_sflmcp_automation_get_logsclient\class-automation-admin.php:46

authwp_ajax_sflmcp_automation_get_templatesclient\class-automation-admin.php:47

authwp_ajax_sflmcp_client_chatclient\class-client-admin.php:102

authwp_ajax_sflmcp_client_save_settingsclient\class-client-admin.php:103

authwp_ajax_sflmcp_client_save_advancedclient\class-client-admin.php:104

authwp_ajax_sflmcp_client_execute_toolclient\class-client-admin.php:105

authwp_ajax_sflmcp_client_poll_toolclient\class-client-admin.php:106

authwp_ajax_sflmcp_client_save_historyclient\class-client-admin.php:107

authwp_ajax_sflmcp_client_load_historyclient\class-client-admin.php:108

authwp_ajax_sflmcp_client_clear_historyclient\class-client-admin.php:109

authwp_ajax_sflmcp_events_get_automationsclient\class-event-automation-admin.php:27

authwp_ajax_sflmcp_events_get_automationclient\class-event-automation-admin.php:28

authwp_ajax_sflmcp_events_save_automationclient\class-event-automation-admin.php:29

authwp_ajax_sflmcp_events_delete_automationclient\class-event-automation-admin.php:30

authwp_ajax_sflmcp_events_toggle_statusclient\class-event-automation-admin.php:31

authwp_ajax_sflmcp_events_get_triggersclient\class-event-automation-admin.php:32

authwp_ajax_sflmcp_events_get_logsclient\class-event-automation-admin.php:33

authwp_ajax_sflmcp_events_test_automationclient\class-event-automation-admin.php:34

authwp_ajax_sflmcp_toggle_loggingclient\class-logs-admin.php:27

authwp_ajax_sflmcp_clear_logsclient\class-logs-admin.php:28

authwp_ajax_sflmcp_refresh_logsclient\class-logs-admin.php:29

authwp_ajax_sflmcp_create_profilemod.php:33

authwp_ajax_sflmcp_update_profilemod.php:34

authwp_ajax_sflmcp_delete_profilemod.php:35

authwp_ajax_sflmcp_duplicate_profilemod.php:36

authwp_ajax_sflmcp_apply_profilemod.php:37

authwp_ajax_sflmcp_export_profilemod.php:38

authwp_ajax_sflmcp_import_profilemod.php:39

authwp_ajax_sflmcp_restore_system_profilesmod.php:40

authwp_ajax_sflmcp_get_custom_toolsmod.php:42

authwp_ajax_sflmcp_save_custom_toolmod.php:43

authwp_ajax_sflmcp_delete_custom_toolmod.php:44

authwp_ajax_sflmcp_test_custom_toolmod.php:45

authwp_ajax_sflmcp_toggle_custom_toolmod.php:46

authwp_ajax_sflmcp_toggle_toolmod.php:48

authwp_ajax_sflmcp_bulk_toggle_toolsmod.php:49

authwp_ajax_sflmcp_discover_abilitiesmod.php:51

authwp_ajax_sflmcp_import_abilitymod.php:52

authwp_ajax_sflmcp_toggle_abilitymod.php:53

authwp_ajax_sflmcp_delete_abilitymod.php:54

authwp_ajax_sflmcp_get_imported_abilitiesmod.php:55

authwp_ajax_sflmcp_save_multimedia_settingsmod.php:57

authwp_ajax_sflmcp_load_multimedia_settingsmod.php:58

authwp_ajax_sflmcp_mm_toggle_toolmod.php:59

authwp_ajax_sflmcp_mm_reveal_keymod.php:60

WordPress Hooks 30

actionadmin_menuclient\class-automation-admin.php:34

actionadmin_enqueue_scriptsclient\class-automation-admin.php:35

filtercron_schedulesclient\class-automation-engine.php:157

actionadmin_menuclient\class-client-admin.php:100

actionadmin_enqueue_scriptsclient\class-client-admin.php:101

actionsflmcp_async_tool_execclient\class-client-admin.php:112

actionadmin_menuclient\class-event-automation-admin.php:23

actionadmin_enqueue_scriptsclient\class-event-automation-admin.php:24

actionadmin_menuclient\class-logs-admin.php:23

actionadmin_enqueue_scriptsclient\class-logs-admin.php:24

actionrest_api_initmod.php:24

actionadmin_menumod.php:27

actionadmin_menumod.php:28

actionadmin_menumod.php:29

actionadmin_initmod.php:30

actionadmin_enqueue_scriptsmod.php:31

filterupload_mimesmodels\model.php:1947

actioninitstifli-flex-mcp.php:180

actioninitstifli-flex-mcp.php:189

actionwoocommerce_loadedstifli-flex-mcp.php:351

filtercron_schedulesstifli-flex-mcp.php:2164

filtercron_schedulesstifli-flex-mcp.php:2195

actionsflmcp_process_automation_tasksstifli-flex-mcp.php:2200

actionsflmcp_clean_queuestifli-flex-mcp.php:2254

actionsflmcp_maintenance_modestifli-flex-mcp.php:2282

filtersflmcp_action_resultstifli-flex-mcp.php:2298

actionsflmcp_admin_notifystifli-flex-mcp.php:2309

filtersflmcp_action_resultstifli-flex-mcp.php:2324

filtersflmcp_action_resultstifli-flex-mcp.php:2338

actionplugins_loadedstifli-flex-mcp.php:2363

Scheduled Events 5

sflmcp_async_tool_exec

sflmcp_process_automation_tasks

sflmcp_clean_queue

sflmcp_process_automation_tasks

Maintenance & Trust

StifLi Flex MCP – AI Chat Agent and MCP Server Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 6, 2026

PHP min version7.4

Downloads3K

Community Trust

Rating100/100

Number of ratings2

Active installs800

Alternatives

StifLi Flex MCP – AI Chat Agent and MCP Server Alternatives

AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o

aibuddy-openai-chatgpt

A

100

AI Bud an AI Content & Image Generation, AI ChatBot, ChatGPT, OpenAI, Perplexity, Gemini, GPT-4o, LLAMA, Mistral

3K No CVEs

Bit Flows: AI Agent Automation with ChatGPT, Gemini, Claude, Perplexity, Google Sheets and More

bit-pi

A

100

Intelligent automation handles your workflows, CRM, forms, WooCommerce, ChatGPT, and more tasks to maximize your marketing and business efficiency.

1K No CVEs

Ai Auto Tool Content Writing Assistant All in One

ai-auto-tool

C

52

AI Content Writing Assistant with Google Gemini AI , Chat GPT 3.5, You Don't need an API KEY, It's free and easy to use.

100 2 unpatched

Royal MCP

royal-mcp

A

100

WordPress MCP plugin that connects AI platforms like Claude, ChatGPT, and Gemini to your site using Model Context Protocol for secure content access.

90 No CVEs

Limb AI Chatbot

limb-chatbot

A

100

AI chatbot with ChatGPT, Gemini 2.5, RAG technology, WooCommerce integration, live agent, and unlimited knowledge training.

70 No CVEs

Developer Profile

StifLi Flex MCP – AI Chat Agent and MCP Server Developer Profile

Esteban

1 plugin · 800 total installs

94

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect StifLi Flex MCP – AI Chat Agent and MCP Server

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/stifli-flex-mcp/client/css/automation-admin.css/wp-content/plugins/stifli-flex-mcp/client/css/logs-admin.css/wp-content/plugins/stifli-flex-mcp/client/js/automation-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/logs-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-openai.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-claude.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-gemini.js/wp-content/plugins/stifli-flex-mcp/client/js/client-admin.js+3 more

Script Paths

/wp-content/plugins/stifli-flex-mcp/client/js/automation-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/logs-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-openai.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-claude.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-gemini.js/wp-content/plugins/stifli-flex-mcp/client/js/client-admin.js+1 more

Version Parameters

stifli-flex-mcp/client/css/automation-admin.css?ver=stifli-flex-mcp/client/css/logs-admin.css?ver=stifli-flex-mcp/client/js/automation-admin.js?ver=stifli-flex-mcp/client/js/logs-admin.js?ver=stifli-flex-mcp/client/js/provider-openai.js?ver=stifli-flex-mcp/client/js/provider-claude.js?ver=stifli-flex-mcp/client/js/provider-gemini.js?ver=stifli-flex-mcp/client/js/client-admin.js?ver=stifli-flex-mcp/client/js/event-automation-admin.js?ver=stifli-flex-mcp/assets/js/select2/select2.min.js?ver=stifli-flex-mcp/assets/css/select2/select2.min.css?ver=

HTML / DOM Fingerprints

CSS Classes

sflmcp-admin-sectionsflmcp-automation-sectionsflmcp-logs-sectionsflmcp-provider-settingssflmcp-tool-itemsflmcp-queue-tablesflmcp-settings-field

HTML Comments

<!-- Description: Transform your WordPress site into a Model Context Protocol (MCP) server. Expose 117+ tools (55 WordPress, 61 WooCommerce, 1 Core + WordPress Abilities) that AI agents like ChatGPT, Claude, and LibreChat can use to manage your WordPress and WooCommerce site via JSON-RPC 2.0. -->

+20 more

Data Attributes

data-tool-iddata-sflmcp-automation-iddata-sflmcp-log-entry-iddata-sflmcp-provider-slug

JS Globals

StifliFlexMcpAutomationAdminStifliFlexMcpLogsAdminStifliFlexMcpEventAutomationAdminStifliFlexMcpClientAdmin

REST Endpoints

/wp-json/stifli-flex-mcp/v1/automation/toggle/wp-json/stifli-flex-mcp/v1/logs/clear/wp-json/stifli-flex-mcp/v1/tools/sync

FAQ

StifLi Flex MCP – AI Chat Agent and MCP Server Security & Risk Analysis