Submit Changelog
Track Changelogs

Vibe AI – MCP Server for WordPress. Connect Claude, ChatGPT & Cursor

Changelog

1.2.3

  • Fix: Draft theme name no longer accumulates “(WPVibe Draft)” on every publish cycle — the suffix is now stripped on both create and publish, and the theme header cache is invalidated after restore. Thanks to J. Hoon Yu for the report.

1.2.2

  • Security: SSRF hardening on /upload-media — validate every resolved A and AAAA record against private, loopback, link-local, and reserved ranges; re-validate redirect hops
  • Security: Server-side user scoping on /last-change so a lower-privilege user can’t read change summaries from an admin session
  • Security: Require edit_theme_options or edit_posts in addition to the x_wpvibe header before bumping the admin “Connected” indicator
  • Security: 24-hour TTL on the draft theme preview token so a leaked URL can’t be used indefinitely
  • Security: Remove SVG from the file-write allowlist (SVG can embed script and isn’t needed for classic-theme scaffolding)
  • Fix: Resolve an undefined variable when building the “View Trash” admin URL in the change tracker
  • Maintenance: Uninstall now clears wpvibe_last_active, wpvibe_preview_token_issued, the activation-redirect transient, and any leftover *-wpvibe-draft / *-wpvibe-backup theme directories on disk
  • Thanks to Rob Weaver for the responsible disclosure

1.2.1

  • Compliance: Migrate inline styles and scripts to wp_enqueue_style / wp_enqueue_script
  • Compliance: Replace direct PHP file I/O with the WP_Filesystem API across theme and file operations
  • Compliance: Replace exec()-based PHP syntax validation with in-process tokenizer
  • Feature: Unsplash stock photo search with third-party service disclosure
  • Fix: Allow SQL comparison operators in db query and honor the –limit flag; add {prefix} placeholder
  • Fix: Detect an active WPVibe connection via last-active timestamp instead of the auth token
  • Fix: Custom CLI command sanitizer that preserves angle brackets used by SQL queries

1.1.0

  • Expanded WP-CLI dispatcher with 16 new commands (34 total)
  • Security: Block sensitive options (auth keys, salts) from being read via option get
  • Security: Whitelist post get return fields (excludes post_password)
  • New read commands: plugin search, option list, taxonomy list, term list, post meta get, media list, comment list, comment count, sidebar list
  • New write commands: post create, post update, post delete, post meta update, post meta delete
  • Plugin install and update with two-phase confirmation flow
  • Content truncation for large post_content and post_content_filtered fields
  • Flag normalization: hyphenated flags (–per-page) auto-convert to underscored (–per_page)

1.0.0

  • Initial release
  • WordPress site connection with one-click authorization
  • Full WordPress REST API access for AI content management
  • WordPress Abilities API support (WP 6.9+)
  • WordPress theme file browsing (list, search, outline)
  • WordPress theme editing via draft-preview-publish workflow
  • Classic WordPress theme builder
  • WordPress WP-CLI native dispatch
  • WordPress media uploads from URL
  • Unsplash stock photo search
  • Smart live reload with context-aware navigation
  • Progressive skills system for guided AI WordPress workflows

Plugin Website
Visit website

Author
SeedProd
Version:
1.2.3
Last Updated
May 15, 2026
Active Installs
700
Requires
WordPress 6.0
Tested Up To
WordPress 6.9.4
Requires PHP
7.4

Share Post

Join our newsletter.

Get insights into what’s happening at ChangelogWP right in your inbox. We don’t believe in spam.