WP-Safety

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Security & Risk Analysis

wordpress.org/plugins/stifli-flex-mcp

AI Copilot for the WordPress editor, AI Chat Agent for full site management & MCP server for external AI clients. OpenAI, Claude & Gemini.

900 active installs v3.1.3 PHP 7.4+ WP 5.8+ Updated Apr 13, 2026
ai-copilotai-writingchatgptmcpwoocommerce-ai
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Safe to Use in 2026?

Generally Safe

Score 100/100

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The stifli-flex-mcp v2.2.0 plugin demonstrates a generally strong security posture based on the provided static analysis. A significant strength is the complete absence of unprotected AJAX handlers and REST API routes, indicating robust authorization checks at all entry points. The high percentage of SQL queries using prepared statements and properly escaped output further suggests good coding practices aimed at preventing common vulnerabilities like SQL injection and Cross-Site Scripting (XSS). The plugin also implements a substantial number of nonce and capability checks, reinforcing its security.

However, the taint analysis reveals some areas for concern. Seven flows with unsanitized paths have been identified, all categorized as high severity. While there are no critical taint flows or raw SQL queries, these high-severity unsanitized paths represent a significant risk. They suggest potential avenues for attackers to manipulate file paths or other sensitive input, which could lead to unintended consequences or data exposure, even if the direct impact is not immediately critical. The plugin's history of zero known CVEs is a positive indicator, suggesting a lack of publicly disclosed vulnerabilities, but it should not lead to complacency given the identified taint issues.

In conclusion, stifli-flex-mcp v2.2.0 has a solid foundation with strong authentication and authorization. The primary weakness lies in the high-severity taint flows indicating potential path traversal or similar vulnerabilities. Addressing these specific taint flows should be the immediate priority to improve the plugin's overall security.

Key Concerns

  • High severity unsanitized paths in taint analysis
Vulnerabilities
None known

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Release Timeline

v3.1.3Current
v3.1.2
v3.1.1
v3.1.0
v3.0.3
v3.0.2
v3.0.1
v2.2.0
v2.1.0
v2.0.3
v2.0.2
v2.0.1
v1.0.5
v1.0.4
v1.0.3
Code Analysis
Analyzed Mar 16, 2026

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Code Analysis

Dangerous Functions
0
Raw SQL Queries
23
168 prepared
Unescaped Output
172
851 escaped
Nonce Checks
54
Capability Checks
68
File Operations
11
External Requests
20
Bundled Libraries
0

SQL Query Safety

88% prepared191 total queries

Output Escaping

83% escaped1023 total outputs
Data Flows · Security
7 unsanitized

Data Flow Analysis

25 flows7 with unsanitized paths
ajax_toggle_task (client\class-automation-admin.php:925)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Attack Surface

Entry Points53
Unprotected0

AJAX Handlers 53

authwp_ajax_sflmcp_automation_get_tasksclient\class-automation-admin.php:38
authwp_ajax_sflmcp_automation_save_taskclient\class-automation-admin.php:39
authwp_ajax_sflmcp_automation_delete_taskclient\class-automation-admin.php:40
authwp_ajax_sflmcp_automation_toggle_taskclient\class-automation-admin.php:41
authwp_ajax_sflmcp_automation_run_taskclient\class-automation-admin.php:42
authwp_ajax_sflmcp_automation_test_promptclient\class-automation-admin.php:43
authwp_ajax_sflmcp_automation_test_startclient\class-automation-admin.php:44
authwp_ajax_sflmcp_automation_test_stepclient\class-automation-admin.php:45
authwp_ajax_sflmcp_automation_get_logsclient\class-automation-admin.php:46
authwp_ajax_sflmcp_automation_get_templatesclient\class-automation-admin.php:47
authwp_ajax_sflmcp_client_chatclient\class-client-admin.php:102
authwp_ajax_sflmcp_client_save_settingsclient\class-client-admin.php:103
authwp_ajax_sflmcp_client_save_advancedclient\class-client-admin.php:104
authwp_ajax_sflmcp_client_execute_toolclient\class-client-admin.php:105
authwp_ajax_sflmcp_client_poll_toolclient\class-client-admin.php:106
authwp_ajax_sflmcp_client_save_historyclient\class-client-admin.php:107
authwp_ajax_sflmcp_client_load_historyclient\class-client-admin.php:108
authwp_ajax_sflmcp_client_clear_historyclient\class-client-admin.php:109
authwp_ajax_sflmcp_events_get_automationsclient\class-event-automation-admin.php:27
authwp_ajax_sflmcp_events_get_automationclient\class-event-automation-admin.php:28
authwp_ajax_sflmcp_events_save_automationclient\class-event-automation-admin.php:29
authwp_ajax_sflmcp_events_delete_automationclient\class-event-automation-admin.php:30
authwp_ajax_sflmcp_events_toggle_statusclient\class-event-automation-admin.php:31
authwp_ajax_sflmcp_events_get_triggersclient\class-event-automation-admin.php:32
authwp_ajax_sflmcp_events_get_logsclient\class-event-automation-admin.php:33
authwp_ajax_sflmcp_events_test_automationclient\class-event-automation-admin.php:34
authwp_ajax_sflmcp_toggle_loggingclient\class-logs-admin.php:27
authwp_ajax_sflmcp_clear_logsclient\class-logs-admin.php:28
authwp_ajax_sflmcp_refresh_logsclient\class-logs-admin.php:29
authwp_ajax_sflmcp_create_profilemod.php:33
authwp_ajax_sflmcp_update_profilemod.php:34
authwp_ajax_sflmcp_delete_profilemod.php:35
authwp_ajax_sflmcp_duplicate_profilemod.php:36
authwp_ajax_sflmcp_apply_profilemod.php:37
authwp_ajax_sflmcp_export_profilemod.php:38
authwp_ajax_sflmcp_import_profilemod.php:39
authwp_ajax_sflmcp_restore_system_profilesmod.php:40
authwp_ajax_sflmcp_get_custom_toolsmod.php:42
authwp_ajax_sflmcp_save_custom_toolmod.php:43
authwp_ajax_sflmcp_delete_custom_toolmod.php:44
authwp_ajax_sflmcp_test_custom_toolmod.php:45
authwp_ajax_sflmcp_toggle_custom_toolmod.php:46
authwp_ajax_sflmcp_toggle_toolmod.php:48
authwp_ajax_sflmcp_bulk_toggle_toolsmod.php:49
authwp_ajax_sflmcp_discover_abilitiesmod.php:51
authwp_ajax_sflmcp_import_abilitymod.php:52
authwp_ajax_sflmcp_toggle_abilitymod.php:53
authwp_ajax_sflmcp_delete_abilitymod.php:54
authwp_ajax_sflmcp_get_imported_abilitiesmod.php:55
authwp_ajax_sflmcp_save_multimedia_settingsmod.php:57
authwp_ajax_sflmcp_load_multimedia_settingsmod.php:58
authwp_ajax_sflmcp_mm_toggle_toolmod.php:59
authwp_ajax_sflmcp_mm_reveal_keymod.php:60
WordPress Hooks 30
actionadmin_menuclient\class-automation-admin.php:34
actionadmin_enqueue_scriptsclient\class-automation-admin.php:35
filtercron_schedulesclient\class-automation-engine.php:157
actionadmin_menuclient\class-client-admin.php:100
actionadmin_enqueue_scriptsclient\class-client-admin.php:101
actionsflmcp_async_tool_execclient\class-client-admin.php:112
actionadmin_menuclient\class-event-automation-admin.php:23
actionadmin_enqueue_scriptsclient\class-event-automation-admin.php:24
actionadmin_menuclient\class-logs-admin.php:23
actionadmin_enqueue_scriptsclient\class-logs-admin.php:24
actionrest_api_initmod.php:24
actionadmin_menumod.php:27
actionadmin_menumod.php:28
actionadmin_menumod.php:29
actionadmin_initmod.php:30
actionadmin_enqueue_scriptsmod.php:31
filterupload_mimesmodels\model.php:1947
actioninitstifli-flex-mcp.php:180
actioninitstifli-flex-mcp.php:189
actionwoocommerce_loadedstifli-flex-mcp.php:351
filtercron_schedulesstifli-flex-mcp.php:2164
filtercron_schedulesstifli-flex-mcp.php:2195
actionsflmcp_process_automation_tasksstifli-flex-mcp.php:2200
actionsflmcp_clean_queuestifli-flex-mcp.php:2254
actionsflmcp_maintenance_modestifli-flex-mcp.php:2282
filtersflmcp_action_resultstifli-flex-mcp.php:2298
actionsflmcp_admin_notifystifli-flex-mcp.php:2309
filtersflmcp_action_resultstifli-flex-mcp.php:2324
filtersflmcp_action_resultstifli-flex-mcp.php:2338
actionplugins_loadedstifli-flex-mcp.php:2363

Scheduled Events 5

sflmcp_async_tool_exec
sflmcp_process_automation_tasks
sflmcp_clean_queue
sflmcp_clean_queue
sflmcp_process_automation_tasks
Maintenance & Trust

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 13, 2026
PHP min version7.4
Downloads7K

Community Trust

Rating100/100
Number of ratings4
Active installs900
Alternatives

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Alternatives

Royal MCP

Royal MCP

royal-mcp

A
99

The security-first MCP server for WordPress. Connect Claude, ChatGPT, and Gemini with API key auth, rate limiting, and activity logging.

500 1 CVE
AI SEO Article Generator

AI SEO Article Generator

ai-seo-article-generator

A
100

Generate SEO-optimized articles using Claude 4 or OpenAI AI. Features feedback system, structured content creation and full Hebrew/English support.

0 No CVEs
Albert – The AI Butler

Albert – The AI Butler

albert-ai-butler

A
100

At your service — Albert connects AI assistants to your WordPress site so they can manage content, handle tasks, and keep things running smoothly.

0 No CVEs
MountDev AI MCP Connector

MountDev AI MCP Connector

mountdev-ai-mcp-connector

A
100

Transform your WordPress site into an AI-powered Model Context Protocol (MCP) server. Exposes WordPress functionality for AI agents.

0 No CVEs
Social Sharing Plugin – Sassy Social Share

Social Sharing Plugin – Sassy Social Share

sassy-social-share

A
94

The Simplest and Optimized Social Share buttons. Facebook, X, Reddit, Pinterest, Whatsapp, Grok, ChatGPT, Gab, Gettr and over 100 more.

100K 11 CVEs
Developer Profile

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server Developer Profile

Esteban

4 plugins · 4K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/stifli-flex-mcp/client/css/automation-admin.css/wp-content/plugins/stifli-flex-mcp/client/css/logs-admin.css/wp-content/plugins/stifli-flex-mcp/client/js/automation-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/logs-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-openai.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-claude.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-gemini.js/wp-content/plugins/stifli-flex-mcp/client/js/client-admin.js+3 more
Script Paths
/wp-content/plugins/stifli-flex-mcp/client/js/automation-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/logs-admin.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-openai.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-claude.js/wp-content/plugins/stifli-flex-mcp/client/js/provider-gemini.js/wp-content/plugins/stifli-flex-mcp/client/js/client-admin.js+1 more
Version Parameters
stifli-flex-mcp/client/css/automation-admin.css?ver=stifli-flex-mcp/client/css/logs-admin.css?ver=stifli-flex-mcp/client/js/automation-admin.js?ver=stifli-flex-mcp/client/js/logs-admin.js?ver=stifli-flex-mcp/client/js/provider-openai.js?ver=stifli-flex-mcp/client/js/provider-claude.js?ver=stifli-flex-mcp/client/js/provider-gemini.js?ver=stifli-flex-mcp/client/js/client-admin.js?ver=stifli-flex-mcp/client/js/event-automation-admin.js?ver=stifli-flex-mcp/assets/js/select2/select2.min.js?ver=stifli-flex-mcp/assets/css/select2/select2.min.css?ver=

HTML / DOM Fingerprints

CSS Classes
sflmcp-admin-sectionsflmcp-automation-sectionsflmcp-logs-sectionsflmcp-provider-settingssflmcp-tool-itemsflmcp-queue-tablesflmcp-settings-field
HTML Comments
<!-- StifLi Flex MCP - AI Chat Agent and MCP Server --><!-- Plugin Name: StifLi Flex MCP - AI Chat Agent and MCP Server --><!-- Description: Transform your WordPress site into a Model Context Protocol (MCP) server. Expose 117+ tools (55 WordPress, 61 WooCommerce, 1 Core + WordPress Abilities) that AI agents like ChatGPT, Claude, and LibreChat can use to manage your WordPress and WooCommerce site via JSON-RPC 2.0. --><!-- Author: estebandestifli -->+20 more
Data Attributes
data-tool-iddata-sflmcp-automation-iddata-sflmcp-log-entry-iddata-sflmcp-provider-slug
JS Globals
StifliFlexMcpAutomationAdminStifliFlexMcpLogsAdminStifliFlexMcpEventAutomationAdminStifliFlexMcpClientAdmin
REST Endpoints
/wp-json/stifli-flex-mcp/v1/automation/toggle/wp-json/stifli-flex-mcp/v1/logs/clear/wp-json/stifli-flex-mcp/v1/tools/sync
FAQ

Frequently Asked Questions about StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server