WP-Safety

Bitcoin and Altcoin Wallets Security & Risk Analysis

wordpress.org/plugins/wallets

Custodial cryptocurrency wallets.

70 active installs v6.4.1 PHP 7.2+ WP 6.0+ Updated Jan 30, 2026
altcoinbitcoincryptocurrencycustodialwallet
99
A · Safe
CVEs total1
Unpatched0
Last CVENov 10, 2024
Plugin page Download
Safety Verdict

Is Bitcoin and Altcoin Wallets Safe to Use in 2026?

Generally Safe

Score 99/100

Bitcoin and Altcoin Wallets has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 10, 2024Updated 2mo ago
Risk Assessment

The "wallets" plugin v6.4.1 presents a mixed security posture. While it demonstrates some good practices like a high percentage of SQL queries using prepared statements and a reasonable proportion of properly escaped outputs, significant concerns emerge from its attack surface and vulnerability history. The plugin exposes a large number of entry points, particularly REST API routes and AJAX handlers, with a disproportionately high percentage lacking proper authentication or permission checks. This is a critical weakness, as it makes these endpoints vulnerable to unauthorized access and potential exploitation by unauthenticated users. Furthermore, the presence of the `unserialize` function, especially without clear sanitization or context, is a known risk factor that can lead to remote code execution vulnerabilities if improperly handled. The plugin's vulnerability history, despite currently having no unpatched CVEs, includes a past medium-severity Cross-Site Scripting (XSS) vulnerability. This suggests a tendency for input sanitization issues, which, combined with the large unprotected attack surface, increases the overall risk profile. In conclusion, while the plugin has areas of strength, the substantial number of unprotected entry points and the presence of a historically problematic function like `unserialize` necessitate careful attention and immediate remediation to mitigate significant security risks.

Key Concerns

  • Unprotected REST API routes
  • Unprotected AJAX handlers
  • Dangerous function: unserialize found
  • Past medium severity XSS vulnerability
  • Low percentage of proper capability checks
Vulnerabilities
1

Bitcoin and Altcoin Wallets Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-24544medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bitcoin and Altcoin Wallet <= 6.3.1 - Reflected Cross-Site Scripting

Nov 10, 2024 Patched in 6.3.2 (108d)
Code Analysis
Analyzed Mar 16, 2026

Bitcoin and Altcoin Wallets Code Analysis

Dangerous Functions
5
Raw SQL Queries
11
55 prepared
Unescaped Output
321
799 escaped
Nonce Checks
8
Capability Checks
2
File Operations
5
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserialize$currency->rates = unserialize( $postmeta['wallets_rates'] ?? 'a:0:{}' );post-types\class-currency.php:295
unserialize$currency->max_withdraw_per_role = (array) unserialize( $postmeta['wallets_max_withdraw_per_role'] ?post-types\class-currency.php:298
unserialize$wallet->adapter_settings = unserialize(post-types\class-wallet.php:141
unserializeunserialize(post-types\class-wallet.php:142
unserialize$wallet->__set( 'adapter_settings', unserialize( get_post_meta( $post_id, 'wallets_adapter_settings'post-types\class-wallet.php:690

SQL Query Safety

83% prepared66 total queries

Output Escaping

71% escaped1120 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

5 flows1 with unsanitized paths
<cold-storage> (admin\cold-storage.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
19 unprotected

Bitcoin and Altcoin Wallets Attack Surface

Entry Points31
Unprotected19

AJAX Handlers 1

authwp_ajax_wallets_login_suggestapis\suggest.php:15

REST API Routes 19

GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/banktransfers/withdrawaladapters\class-bank-fiat-adapter.php:403
GET/wp-json/dswallets/v1/walletnotify/(?P<currency_id>\d+)/(?P<txid>\w+)adapters\class-bitcoin-core-like-wallet-adapter.php:1162
GET/wp-json/dswallets/v1/blocknotify/(?P<currency_id>\d+)/(?P<blockhash>\w+)adapters\class-bitcoin-core-like-wallet-adapter.php:1264
GET/wp-json/dswallets/v1/currenciesapis\wp-rest.php:121
GET/wp-json/dswallets/v1/currencies/(?P<currency_id>\d+)apis\wp-rest.php:223
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currenciesapis\wp-rest.php:288
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)apis\wp-rest.php:378
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/transactionsapis\wp-rest.php:581
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/transactions/category/(?P<category>\w+)apis\wp-rest.php:597
GET/wp-json/dswallets/v1/transactions/validate/(?P<nonce>\w+)apis\wp-rest.php:615
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/transactionsapis\wp-rest.php:670
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/transactions/category/(?P<category>\w+)apis\wp-rest.php:692
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/transactions/category/moveapis\wp-rest.php:715
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/transactions/category/withdrawalapis\wp-rest.php:849
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/addressesapis\wp-rest.php:986
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/addresses/(?P<address_id>\d+)apis\wp-rest.php:1054
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/addressesapis\wp-rest.php:1110
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/addresses/(?P<address_id>\d+)apis\wp-rest.php:1166
GET/wp-json/dswallets/v1/users/(?P<user_id>\d+)/currencies/(?P<currency_id>\d+)/addressesapis\wp-rest.php:1224

Shortcodes 11

[wallets_balance] frontend\shortcodes.php:212
[wallets_rates] frontend\shortcodes.php:284
[wallets_status] frontend\shortcodes.php:352
[wallets_deposit] frontend\shortcodes.php:452
[wallets_total_balances] frontend\shortcodes.php:525
[wallets_account_value] frontend\shortcodes.php:604
[wallets_move] frontend\shortcodes.php:699
[wallets_withdraw] frontend\shortcodes.php:795
[wallets_fiat_withdraw] frontend\shortcodes.php:895
[wallets_fiat_deposit] frontend\shortcodes.php:982
[wallets_transactions] frontend\shortcodes.php:1112
WordPress Hooks 173
actionwallets_email_bank_fiat_notifyadapters\class-bank-fiat-adapter.php:188
actionwallets_email_bank_fiat_notifyadapters\class-bank-fiat-adapter.php:295
filterwallets_email_bank_fiat_subjectadapters\class-bank-fiat-adapter.php:387
actionrest_api_initadapters\class-bank-fiat-adapter.php:402
actiontool_boxadapters\class-bank-fiat-adapter.php:637
actionadmin_enqueue_scriptsadapters\class-bank-fiat-adapter.php:684
actionadmin_menuadapters\class-bank-fiat-adapter.php:698
actionadmin_initadapters\class-bitcoin-core-like-wallet-adapter.php:16
actionrest_api_initadapters\class-bitcoin-core-like-wallet-adapter.php:1161
actionadmin_enqueue_scriptsadmin\assets.php:16
filterwallets_capabilitiesadmin\capabilities.php:155
filterwallets_capabilitiesadmin\capabilities.php:160
filterwallets_capabilitiesadmin\capabilities.php:165
filterwallets_capabilitiesadmin\capabilities.php:170
filterwallets_capabilitiesadmin\capabilities.php:175
actioninitadmin\capabilities.php:258
filterwallets_settings_tabsadmin\capabilities.php:318
actionadmin_initadmin\capabilities.php:464
actiontool_boxadmin\cold-storage.php:14
actionadmin_menuadmin\cold-storage.php:50
actionadmin_enqueue_scriptsadmin\cold-storage.php:711
filterwallets_dashboard_tabsadmin\dashboard.php:16
actionwp_dashboard_setupadmin\dashboard.php:51
actionadmin_enqueue_scriptsadmin\dashboard.php:55
filterwallets_dashboard_debugadmin\dashboard.php:346
filterwallets_documentationadmin\documentation.php:16
actionadmin_enqueue_scriptsadmin\documentation.php:106
actionadmin_menuadmin\documentation.php:116
actionadmin_initadmin\gdpr.php:18
filterwp_privacy_personal_data_exportersadmin\gdpr.php:38
filterwp_privacy_personal_data_erasersadmin\gdpr.php:185
actiontool_boxadmin\migration.php:19
actionadmin_menuadmin\migration.php:109
actionadmin_noticesadmin\migration.php:536
actionin_admin_headeradmin\pointers.php:14
actionadmin_initadmin\pointers.php:342
actionedit_user_profileadmin\profile.php:13
actionshow_user_profileadmin\profile.php:14
actionwallets_profile_sectionadmin\profile.php:53
actionadmin_enqueue_scriptsadmin\settings.php:76
actionadmin_menuadmin\settings.php:90
actionin_admin_footeradmin\settings.php:105
actionadmin_initadmin\settings.php:177
filterpre_update_site_option_wallets_cron_intervaladmin\settings.php:651
filterwallets_settings_tabsadmin\updates.php:20
actionadmin_initadmin\updates.php:60
actionin_plugin_update_message-wallets/wallets.phpadmin\updates.php:136
actionnetwork_admin_menuadmin\updates.php:160
actionadmin_menuadmin\updates.php:169
actioninitapis\legacy-json.php:21
filterquery_varsapis\legacy-json.php:22
actionparse_requestapis\legacy-json.php:23
actionwallets_profile_sectionapis\legacy-json.php:25
actionshutdownapis\legacy-json.php:127
actionwallets_api_balanceapis\legacy-php.php:125
actionwallets_api_available_balanceapis\legacy-php.php:204
filterwallets_api_adaptersapis\legacy-php.php:231
actionwallets_api_transactionsapis\legacy-php.php:431
actionwallets_api_withdrawapis\legacy-php.php:544
actionwallets_api_moveapis\legacy-php.php:710
filterwallets_api_deposit_addressapis\legacy-php.php:831
actionwallets_api_cancel_transactionapis\legacy-php.php:956
actionwallets_api_retry_transactionapis\legacy-php.php:1084
filterwallets_front_dataapis\wp-rest.php:20
actionrest_api_initapis\wp-rest.php:32
filterwallets_currencies_rest_filterapis\wp-rest.php:1376
actionwallets_cron_taskscron\abstract-task.php:59
filtercron_schedulescron\abstract-task.php:118
actioninitcron\abstract-task.php:155
actionadmin_noticescron\abstract-task.php:176
actionwallets_cron_taskscron\abstract-task.php:209
actionwallets_cron_taskscron\abstract-task.php:266
actionwallets_withdrawal_pre_checkcron\class-withdrawals-task.php:291
actionwallets_withdrawal_pre_checkcron\class-withdrawals-task.php:334
actionwallets_withdrawal_pre_checkcron\class-withdrawals-task.php:348
actionwallets_withdrawal_pre_checkcron\class-withdrawals-task.php:382
actionwallets_withdrawals_pre_checkcron\class-withdrawals-task.php:393
actionwallets_withdrawals_pre_checkcron\class-withdrawals-task.php:456
actionwallets_withdrawals_pre_checkcron\class-withdrawals-task.php:537
actionwallets_withdrawals_pre_checkcron\class-withdrawals-task.php:640
actionwp_enqueue_scriptsfrontend\assets.php:16
actioncustomize_registerfrontend\customizer.php:148
actionwp_headfrontend\customizer.php:771
actioninitfrontend\menu-item.php:18
filterwalker_nav_menu_start_elfrontend\menu-item.php:21
actionwp_after_admin_bar_renderfrontend\menu-item.php:69
filterwp_setup_nav_menu_itemfrontend\menu-item.php:80
filtercustomize_nav_menu_available_item_typesfrontend\menu-item.php:136
filtercustomize_nav_menu_available_itemsfrontend\menu-item.php:150
filterno_texturize_shortcodesfrontend\shortcodes.php:68
filterrun_wptexturizefrontend\shortcodes.php:98
actionwpfrontend\shortcodes.php:102
actionwallets_email_notifyhelpers\emails.php:105
filterwallets_email_notify_subjecthelpers\emails.php:216
filterwallets_explorer_uri_add_BTChelpers\explorers.php:32
filterwallets_explorer_uri_tx_BTChelpers\explorers.php:36
filterwallets_explorer_uri_add_BCHhelpers\explorers.php:40
filterwallets_explorer_uri_tx_BCHhelpers\explorers.php:44
filterwallets_explorer_uri_add_ETHhelpers\explorers.php:48
filterwallets_explorer_uri_tx_ETHhelpers\explorers.php:52
filterwallets_explorer_uri_add_LTChelpers\explorers.php:56
filterwallets_explorer_uri_tx_LTChelpers\explorers.php:60
filterwallets_explorer_uri_add_BSVhelpers\explorers.php:64
filterwallets_explorer_uri_tx_BSVhelpers\explorers.php:68
filterwallets_explorer_uri_add_DOGEhelpers\explorers.php:72
filterwallets_explorer_uri_tx_DOGEhelpers\explorers.php:76
filterwallets_explorer_uri_add_DASHhelpers\explorers.php:80
filterwallets_explorer_uri_tx_DASHhelpers\explorers.php:84
filterwallets_explorer_uri_add_XRPhelpers\explorers.php:88
filterwallets_explorer_uri_tx_XRPhelpers\explorers.php:92
filterwallets_explorer_uri_add_GRShelpers\explorers.php:96
filterwallets_explorer_uri_tx_GRShelpers\explorers.php:100
filterwallets_explorer_uri_add_XLMhelpers\explorers.php:104
filterwallets_explorer_uri_tx_XLMhelpers\explorers.php:108
filterwallets_explorer_uri_add_EOShelpers\explorers.php:112
filterwallets_explorer_uri_tx_EOShelpers\explorers.php:116
filterwallets_explorer_uri_add_ADAhelpers\explorers.php:120
filterwallets_explorer_uri_tx_ADAhelpers\explorers.php:124
filterwallets_explorer_uri_add_XTZhelpers\explorers.php:128
filterwallets_explorer_uri_tx_XTZhelpers\explorers.php:132
filterwallets_explorer_uri_add_ZEChelpers\explorers.php:136
filterwallets_explorer_uri_tx_ZEChelpers\explorers.php:140
actioninithelpers\multisite.php:301
actionsave_postpost-types\abstract-post-type.php:319
actioninitpost-types\abstract-post-type.php:373
actioninitpost-types\abstract-post-type.php:374
actionadd_meta_boxespost-types\abstract-post-type.php:375
actionsave_postpost-types\abstract-post-type.php:376
actionsave_postpost-types\class-address.php:320
actionmanage_wallets_address_posts_custom_columnpost-types\class-address.php:528
filtermanage_wallets_address_posts_columnspost-types\class-address.php:529
actionpre_get_postspost-types\class-address.php:531
filterposts_searchpost-types\class-address.php:577
filterposts_joinpost-types\class-address.php:599
filterviews_edit-wallets_addresspost-types\class-address.php:619
filterpage_row_actionspost-types\class-address.php:731
actionadmin_noticespost-types\class-address.php:764
actionedit_form_toppost-types\class-address.php:1468
actionmanage_posts_extra_tablenavpost-types\class-address.php:1490
actionsave_postpost-types\class-currency.php:398
actionmanage_wallets_currency_posts_custom_columnpost-types\class-currency.php:960
filtermanage_wallets_currency_posts_columnspost-types\class-currency.php:961
actionadmin_noticespost-types\class-currency.php:964
actionpre_get_postspost-types\class-currency.php:976
filterposts_joinpost-types\class-currency.php:992
filterposts_wherepost-types\class-currency.php:1003
filterviews_edit-wallets_currencypost-types\class-currency.php:1030
actionedit_form_toppost-types\class-currency.php:2133
actionmanage_posts_extra_tablenavpost-types\class-currency.php:2155
actiontransition_post_statuspost-types\class-transaction.php:420
actionsave_postpost-types\class-transaction.php:483
actiontransition_post_statuspost-types\class-transaction.php:1028
actionmanage_wallets_tx_posts_custom_columnpost-types\class-transaction.php:1031
filtermanage_wallets_tx_posts_columnspost-types\class-transaction.php:1032
actionadmin_initpost-types\class-transaction.php:1034
actionpre_get_postspost-types\class-transaction.php:1055
filterviews_edit-wallets_txpost-types\class-transaction.php:1165
filterpage_row_actionspost-types\class-transaction.php:1316
filterbulk_actions-edit-wallets_txpost-types\class-transaction.php:1349
actionhandle_bulk_actions-edit-wallets_txpost-types\class-transaction.php:1361
actionadmin_noticespost-types\class-transaction.php:1401
actionshutdownpost-types\class-transaction.php:2497
actionedit_form_toppost-types\class-transaction.php:2753
actionmanage_posts_extra_tablenavpost-types\class-transaction.php:2775
actionsave_postpost-types\class-wallet.php:211
actionmanage_wallets_wallet_posts_custom_columnpost-types\class-wallet.php:310
filtermanage_wallets_wallet_posts_columnspost-types\class-wallet.php:311
actionpre_get_postspost-types\class-wallet.php:313
filterviews_edit-wallets_walletpost-types\class-wallet.php:342
actionedit_form_toppost-types\class-wallet.php:900
actionmanage_posts_extra_tablenavpost-types\class-wallet.php:922
actionplugins_loadedwallets.php:108
filternetwork_admin_plugin_action_linkswallets.php:167

Scheduled Events 2

wallets_cron_tasks
wallets_cron_tasks
Maintenance & Trust

Bitcoin and Altcoin Wallets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 30, 2026
PHP min version7.2
Downloads90K

Community Trust

Rating96/100
Number of ratings27
Active installs70
Alternatives

Bitcoin and Altcoin Wallets Alternatives

GoUrl Bitcoin Altcoin Payment Gateway For Gravity Forms

GoUrl Bitcoin Altcoin Payment Gateway For Gravity Forms

gf-gourl-add-on

A
100

This plugin enables you to use the GoUrl.io payment gateway and accept bitcoin and other altcoins directly on your Gravity Forms powered custom forms &hellip;

20 No CVEs
elegro Crypto Payment

elegro Crypto Payment

elegro-payment

A
85

Increase your customers base by accepting cryptocurrencies.

20K No CVEs
NOWPayments for WooCommerce – Crypto Payment Gateway

NOWPayments for WooCommerce – Crypto Payment Gateway

nowpayments-for-woocommerce

A
100

Accept Bitcoin, Ethereum, and 300+ cryptocurrencies in WooCommerce using the official NOWPayments crypto payment gateway.

3K No CVEs
Cryptocurrency Widgets For Elementor

Cryptocurrency Widgets For Elementor

cryptocurrency-widgets-for-elementor

A
98

Easily display cryptocurrency prices and generate customizable widgets for 250+ coins, including Bitcoin, Ethereum, and more in Elementor.

2K 1 CVE
BinancePay Checkout for WooCommerce

BinancePay Checkout for WooCommerce

binance-pay

A
92

Binance Pay Checkout for WooCommerce.

1K No CVEs
Developer Profile

Bitcoin and Altcoin Wallets Developer Profile

dashed-slug.net

2 plugins · 150 total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
108 days
View full developer profile
Detection Fingerprints

How We Detect Bitcoin and Altcoin Wallets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wallets/admin/assets/css/dashboard.css/wp-content/plugins/wallets/admin/assets/js/dashboard.js/wp-content/plugins/wallets/frontend/assets/css/wallets.css/wp-content/plugins/wallets/frontend/assets/js/wallets.js/wp-content/plugins/wallets/admin/assets/css/settings.css/wp-content/plugins/wallets/admin/assets/js/settings.js/wp-content/plugins/wallets/admin/assets/js/profile.js/wp-content/plugins/wallets/admin/assets/js/documentation.js+3 more
Script Paths
/wp-content/plugins/wallets/admin/assets/js/dashboard.js/wp-content/plugins/wallets/frontend/assets/js/wallets.js/wp-content/plugins/wallets/admin/assets/js/settings.js/wp-content/plugins/wallets/admin/assets/js/profile.js/wp-content/plugins/wallets/admin/assets/js/documentation.js/wp-content/plugins/wallets/admin/assets/js/cold-storage.js+2 more
Version Parameters
wallets/admin/assets/css/dashboard.css?ver=wallets/admin/assets/js/dashboard.js?ver=wallets/frontend/assets/css/wallets.css?ver=wallets/frontend/assets/js/wallets.js?ver=wallets/admin/assets/css/settings.css?ver=wallets/admin/assets/js/settings.js?ver=wallets/admin/assets/js/profile.js?ver=wallets/admin/assets/js/documentation.js?ver=wallets/admin/assets/js/cold-storage.js?ver=wallets/admin/assets/js/pointers.js?ver=wallets/admin/assets/js/migration.js?ver=

HTML / DOM Fingerprints

CSS Classes
wallets-dashboard-widgetwallets-balancewallets-transaction-listwallets-settings-sectionwallets-form-fieldwallets-user-profile-field
HTML Comments
<!-- Wallets Admin Settings --><!-- Wallets Frontend Content --><!-- DSWallets API Endpoint -->
Data Attributes
data-wallets-currency-iddata-wallets-address-iddata-wallets-transaction-iddata-wallets-wallet-iddata-wallets-user-id
JS Globals
DSWalletswallets_ajax_object
REST Endpoints
/wp-json/wallets/v1/balance/wp-json/wallets/v1/transaction/wp-json/wallets/v1/address/wp-json/wallets/v1/wallet/wp-json/wallets/v1/settings
Shortcode Output
[wallets_balance][wallets_transactions][wallets_addresses][wallets_deposit]
FAQ

Frequently Asked Questions about Bitcoin and Altcoin Wallets