Postnova for MCP

2.1.1

• Security: Fixed SSRF vulnerability in blog/upload-media — URL now validated to block internal/private IP ranges and non-HTTP(S) schemes.
• Security: Fixed IDOR vulnerability — all post-level operations (update, get, schedule, duplicate, set-featured-image, delete) now enforce object-level capability checks via current_user_can(‘edit_post’, $id).

2.1.0

• New: blog/list-media — browse Media Library with optional search and MIME type filter.
• New: blog/delete-media — permanently delete a media attachment by ID.
• New: blog/get-site-info — retrieve site name, URL, timezone, language, and WP version.
• New: blog/get-stats — get post/comment/media counts broken down by status.
• Settings page now shows all 24 abilities.

2.0.0

• New: Admin settings page (Postnova menu) to enable/disable individual abilities.
• New: Disabled abilities are not registered to MCP at all, as if they don’t exist.
• New: Settings stored globally in wp_options under postnova_disabled_abilities.

1.6.2

• Fix: update-comment no longer errors when status is already the same.
• Tested up to WordPress 7.0.

1.6.1

• Fix: schedule-post now correctly retains future status instead of publishing immediately.

1.6.0

• Initial public release with 20 blog post abilities.