mcp-for-woocommerce

The plugin prioritizes read-only operations for most exposed WordPress/WooCommerce data, with dangerous write functionalities largely removed or disabled by default. It leverages WordPress's REST API, which incorporates native sanitization and authentication. Input validation is implemented via `ToolValidator` and `SchemaValidator`. Authentication relies on JWT or standard WordPress cookies, with granular permission checks. The option to disable JWT authentication allows a 'read-only without authentication' mode specifically for local proxy integrations (e.g., Claude Desktop), which is an explicit, administrator-opt-in trade-off for convenience in a controlled environment. The `McpRestApiCrud` tool, which could expose any GET REST API endpoint, is hardcoded to be disabled by default, significantly reducing potential unintended data exposure. CORS is configured with `Access-Control-Allow-Origin: *` for the Streamable endpoint, requiring clients to manage their own authentication securely.