MCP Content Manager Premium 4.0.x

The development of this version cost 2,140 euros. The accumulated cost for this year is 17,599 euros. The accumulated cost since the first version is 17,599 euros, but the cost for you is only the license of 30€.

New version 4.0.x of the plugin MCP Content Manager Premium for WordPress and WooCommerce. This version introduces the Hub Snapshot for multi-site monitoring with no token cost, a Vulnerability Scanner based on Wordfence Intelligence with 137 MB of CVE feed, complete MCP coverage of the Hub with ~30 new abilities, Worker/IWP Parity for detecting DB migrations and native WordPress logging, and a banking module Enable Banking in READ-ONLY mode for PSD2 reconciliation of WooCommerce orders, incorporating ~35 new abilities (from 346 to ~380).

Versions of the branch

• 4.0.0

4.0.0

Hub Snapshot (v3.1)

• New: Token-free snapshot polling — the ability mcm/site-snapshot on the child side returns the complete site status in JSON.
• New: Abilities mcm/hub-site-snapshot and mcm/hub-updates-summary in the hub for a cached multi-site view.
• New: Configurable TTL of the snapshot (6h by default, option mcm_hub_snapshot_ttl, range 5min-7d).
• New: REST endpoints /mcm-hub/v1/dashboard/sites/<id>/snapshot[/refresh] and /updates-overview.

Vulnerability Scanner (Wordfence Intelligence)

• New: CVE scanner based on Wordfence Intelligence feed v3 (137 MB, over 35,000 entries, TTL 12h).
• New: 11 main abilities (mcm/vuln-refresh-feed, vuln-scan, vuln-list, vuln-get, vuln-summary, vuln-report, vuln-resolve, vuln-deactivate-plugin [CONFIRMATION], vuln-update-item [CONFIRMATION], vuln-remediate, vuln-history).
• New: 8 hub abilities (mcm/hub-vuln-scan, hub-vuln-list, hub-vuln-summary, hub-vuln-report, hub-vuln-deactivate-plugin [CONFIRMATION], hub-vuln-update-item [CONFIRMATION], hub-vuln-remediate, hub-vuln-history).
• New: Database table mcm_vulnerabilities with UNIQUE on (item_type, item_slug, vuln_id).
• New: Security audit score penalty for open findings (critical -20, high -10, medium -5, low -1).
• New: Action Scheduler hooks for feed refresh (12h) + scan (24h) + asynchronous scan post-update.
• New: API key storage via constant MCM_WORDFENCE_API_KEY or MCM_Credential_Store (AES-256-GCM).
• New: Vulnerabilities page in the dashboard with mass remediation modal and 30-day sparkline.
• New: CVE badges on global Plugins/Themes pages and SiteDetail tabs.

Hub MCP Coverage (v4.5 — ~30 abilities closing the MCP parity gap)

• New: Site connection and OAuth — hub-site-oauth-start, hub-site-token-refresh, hub-site-update-metadata, hub-site-reset-connection.
• New: Activity and aggregation — hub-activity-stats, hub-aggregate (kind: plugins|themes|users|updates), hub-available-owners.
• New: Hub settings — hub-settings-get, hub-settings-update [CONFIRMATION].
• New: Granular site groups — hub-group-create, hub-group-update, hub-group-assign-site, hub-group-remove-site, hub-group-delete [CONFIRMATION].
• New: Client management — hub-update-client, hub-delete-client [CONFIRMATION].
• New: Maintenance scheduling — hub-schedule-preview, hub-plan-delete [CONFIRMATION].
• New: Alerts — hub-alerts-list, hub-alerts-stats, hub-alerts-acknowledge.
• New: Time and cost tracking — hub-timer-current, hub-timer-start, hub-timer-stop, hub-timer-pause-resume, hub-cost-add, hub-cost-list, hub-cost-delete, hub-time-report.
• New: Installer allowlist — hub-installer-allowlist-get, hub-installer-allowlist-set.

Worker / IWP Parity (4 independent sprints)

• New: Detection of DB upgrade post-plugin update — MCM_DB_Upgrade_Detector detects pending DB migrations after updating plugins (WooCommerce, Elementor, etc.) and returns additional_updates in the response.
• New: Activity logging from WP hooks — MCM_Activity_Hooks hooks ~15 native WordPress events (login, logout, plugin activation, theme change, option changes, etc.) in MCM_Action_Logger with source='hook'.
• New: Resumable file iterator — MCM_File_Iterator with durable checkpoints in the mcm_iterator_checkpoints table. Tree traversal in chunks with configurable size. Used by Time Machine for large plugin/theme snapshots.
• New: Plugin compatibility layer — MCM_Plugin_Compat logging for known plugin conflicts and their workarounds.

Banking Module — Enable Banking (own credentials, restricted mode, READ-ONLY)

• New: End-to-end PSD2 AIS integration. Each installation uses its own Enable Banking App ID and RSA key. No PIS (payment initiation). No writes to the bank. Ever.
• New: Encrypted storage of App ID and private RSA key via MCM_Credential_Store (AES-256-GCM, key derived from AUTH_SALT).
• New: Pure PHP client for Enable Banking that signs JWTs RS256 using openssl_sign (no external dependencies).
• New: PSD2 consent logging with expiration tracking at 90 days, status calculation, and admin notices at 10 / 2 / 0 days.
• New: Response caching based on transients (accounts 1h, balance 15m, transactions 30m).
• New: Rate limiter for TPP-initiated calls that applies the PSD2 limit of 4 calls/account/day (transients with daily rotation). Admin-initiated calls count as PSU-initiated and have no limit.
• New: OAuth scopes banking:read and banking:write. banking:write only authorizes writes to WooCommerce order status — never to the bank.
• New: Helper MCM_OAuth_Interceptor::current_token_has_scope() for scope enforcement by ability.

Banking Abilities (9)

• New: mcm/banking-list-connections — lists connected banks with expiration information.
• New: mcm/banking-list-accounts — lists visible accounts with masked IBANs.
• New: mcm/banking-get-balance — accounting balance of an account.
• New: mcm/banking-list-transactions — accounting transactions with filters by date, amount, and description.
• New: mcm/banking-find-payment-for-order — scans connected accounts looking for candidates for a WooCommerce order with trust scoring (high/medium/low).
• New: mcm/banking-unmatched-incoming — incoming transfers that do not match any WooCommerce order in the window.
• New: mcm/banking-missing-payments — bacs orders on hold without corresponding bank transaction.
• New: mcm/banking-mark-order-paid-from-transaction — marks a WooCommerce order as processing with a private note of bank reference (requires confirmation).
• New: mcm/banking-reconcile-pending-orders — batch reconciler with auto-apply threshold and minimum trust (requires confirmation).

Reconciliation and Automation

• New: Reconciler scoring: high (exact amount + order number in the remittance), medium (exact unique amount in the window), low (exact amount with collisions).
• New: Opt-in auto-reconciliation via Action Scheduler (manual / every 12h / every 6h). Transient-based locking that prevents overlapping executions.
• New: PSD2 redirect callback at /wp-json/mcm-banking/v1/callback that exchanges the authorization code for a session and persists the consent.

Admin Tab of the Banking Module

• New: Settings → MCP Content Manager Premium → Banking. Credentials, onboarding guide, table of connected banks with Revoke action, cron settings, legal disclaimer, and a permanent banner "READ-ONLY — this module cannot move money".
• New: Admin notices at 10 and 2 days before consent expiration; error notice on expired consent.
• New: Logger that masks IBANs (MCM_Banking_Logger::scrub) and redacts PEM blocks, Bearer tokens, and JWT-like strings in the logs.

Security Guarantees

• The Enable Banking HTTP client (includes/banking/class-mcm-banking-enable-client.php) only implements AIS endpoints: /application, /auth, /sessions, /accounts/{uid}/details, /balances, /transactions. No PIS endpoint is imported, called, or referenced.
• All responses returned to MCP clients use masked IBANs; full IBANs never leave the provider layer.
• The description of each banking ability ends with the safeguard phrase "Read-only AIS operation on the bank. Does not initiate payments or move funds." for LLMs to see the limit in the MCP tools catalog.

Fixes

• Fix: hub-emergency-login — transport error caused by 3 issues: object passed instead of int to the proxy, missing WP_Error check in the proxy result, and required in input_schema blocking execution before the handler. Rewritten to mimic the hub-wp-admin-link pattern (no required schema, site_id/domain parameters, manual validation).
• Fix: hub-emergency-login — the proxy sent the parameter duration_minutes but the remote ability security-emergency-login expects minutes.
• Fix: wc-performance-kpis — WC 10.x mixes OrderRefund objects in order queries; added type check to skip refunds in calculate_kpis().
• Fix: create-snapshot — empty ZIP files not written to disk by some versions of libzip; added placeholder entry .mcm-snapshot + clearstatcache() + improved error diagnostics (ZipArchive status, disk_free_space, is_writable).
• Fix: create-login-token — added explicit Hub-only restriction with clear error message when invoked directly.
• Fix: list-rest-routes — the limit parameter was accepted by the handler but missing in input_schema.
• Fix: manage-action-scheduler — the stats action was missing in the input_schema description.
• Fix: Unified SAT parameters — sat-translate-post-async and sat-store-term-translation now use target_language as the main parameter name (with alias for backward compatibility).
• Fix: Documented parameter aliases in 5 ability schemas (manage-post-meta, read-template, builder-compare, db-table-info, hub-emergency-login).

You can purchase the license for MCP Content Manager Premium on the product page.

Please leave this field empty

¡No te pierdas las novedades!

Acepto apuntarme a la lista de correo para estar al día de todas las novedades.

¡No hacemos spam! y te puedes dar de baja cuando quieras

Revisa tu bandeja de entrada o la carpeta de spam para confirmar tu suscripción.