First, There is no way to disable CORS in modern browsers...
Did you try * instead of %? CORS will read * as allow any. (Please try this first)
Aside from that, you may need to tweak settings in the API config files
vi /usr/local/cwpsrv/conf.d/api.conf
Add the following line right after error_log
add_header Access-Control-Allow-Origin *;
Please note that you will have to fix this each time you update CWP.
Once that is done
/usr/local/cwpsrv/bin/cwpsrv -s reload