WP-Safety

Web3 Access Security & Risk Analysis

wordpress.org/plugins/web3-access

Accept cryptocurrency payments via MetaMask or web3 browser wallets. Restrict content to NFT owners or crypto wallets that make a payment.

60 active installs v1.7.3 PHP + WP 4.0+ Updated Dec 3, 2025
crypto-paymentscryptocurrencynftrestrict-contentweb3
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Web3 Access Safe to Use in 2026?

Generally Safe

Score 100/100

Web3 Access has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5mo ago
Risk Assessment

The web3-access plugin v1.7.3 exhibits a generally good security posture with several positive indicators. The vast majority of SQL queries are prepared, and output escaping is handled effectively, suggesting developers are aware of common web vulnerabilities. Furthermore, the absence of any recorded CVEs or known vulnerabilities in its history is a strong positive sign, indicating a history of responsible development and patching. The plugin also shows an awareness of security checks, with a decent number of capability checks implemented.

However, there are significant concerns regarding the attack surface. The analysis reveals a substantial number of AJAX handlers (5) that lack authentication checks. This presents a direct pathway for unauthenticated users to interact with sensitive plugin functionalities, potentially leading to unintended actions or information disclosure. While the REST API routes appear to have permission callbacks, the unprotected AJAX endpoints remain a critical weakness. The limited number of nonce checks and file operations, while not explicitly problematic in themselves, could be expanded to further harden the plugin against certain types of attacks if the unprotected AJAX endpoints were exploited.

In conclusion, while the plugin's historical security record and adherence to good practices like prepared statements and output escaping are commendable, the presence of unprotected AJAX endpoints is a serious concern that significantly elevates the risk profile. Addressing these unprotected entry points should be the immediate priority for improving the plugin's security.

Key Concerns

  • Unprotected AJAX handlers detected
  • Limited nonce checks
Vulnerabilities
None known

Web3 Access Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Web3 Access Release Timeline

v1.7.3Current
v1.7.2
v1.7.0
v1.6.9
v1.6.8
v1.6.7
Code Analysis
Analyzed Mar 16, 2026

Web3 Access Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
22 prepared
Unescaped Output
15
487 escaped
Nonce Checks
1
Capability Checks
6
File Operations
3
External Requests
7
Bundled Libraries
0

SQL Query Safety

81% prepared27 total queries

Output Escaping

97% escaped502 total outputs
Attack Surface
5 unprotected

Web3 Access Attack Surface

Entry Points23
Unprotected5

AJAX Handlers 5

authwp_ajax_metapress_load_admin_payments_ajax_requestadmin\admin-ajax.php:28
authwp_ajax_metapress_load_admin_subscriptions_ajax_requestadmin\admin-ajax.php:29
authwp_ajax_metapress_admin_update_subscription_price_ajax_requestadmin\admin-ajax.php:30
authwp_ajax_metapress_admin_delete_subscription_ajax_requestadmin\admin-ajax.php:31
authwp_ajax_metapress_load_admin_overview_payments_ajax_requestadmin\admin-ajax.php:32

REST API Routes 14

GET/wp-json/metapress/v2/transactions/includes\rest-api.php:16
GET/wp-json/metapress/v2/subscriptions/includes\rest-api.php:23
POST/wp-json/metapress/v2/deletesubscription/includes\rest-api.php:30
POST/wp-json/metapress/v2/notificationemail/includes\rest-api.php:37
GET/wp-json/metapress/v2/productdata/includes\rest-api.php:44
GET/wp-json/metapress/v2/productprice/includes\rest-api.php:51
GET/wp-json/metapress/v2/productaccess/includes\rest-api.php:58
POST/wp-json/metapress/v2/nfttoken/includes\rest-api.php:65
POST/wp-json/metapress/v2/newtransaction/includes\rest-api.php:72
POST/wp-json/metapress/v2/paytransaction/includes\rest-api.php:79
POST/wp-json/metapress/v2/updatetransaction/includes\rest-api.php:86
POST/wp-json/metapress/v2/deletetransaction/includes\rest-api.php:93
POST/wp-json/metapress/v2/walletsession/includes\rest-api.php:100
GET/wp-json/metapress/v2/moralisnftlist/moralis\rest-api.php:13

Shortcodes 4

[metapress-checkout] includes\content-filter.php:13
[metapress-restricted-content] includes\content-filter.php:14
[metapress-transactions] includes\content-filter.php:15
[metapress-subscriptions] includes\content-filter.php:16
WordPress Hooks 29
actionadmin_initadmin\pages.php:9
actionadmin_menuadmin\pages.php:10
actioninitblocks\index.php:12
filterrender_blockblocks\index.php:13
actioninitcustom\product\create-type.php:6
actionpre_get_postscustom\product\create-type.php:7
actionadd_meta_boxescustom\product\meta-boxes.php:6
actionsave_postcustom\product\meta-boxes.php:7
actionmetapress_send_subscription_renewal_reminders_eventemail\email-functions.php:5
filterwp_mail_content_typeemail\email-functions.php:30
filterthe_contentincludes\content-filter.php:11
filterthe_contentincludes\content-filter.php:12
actiontemplate_redirectincludes\content-filter.php:18
actionrest_api_initincludes\rest-api.php:11
actionwp_headincludes\scripts.php:5
actionwp_enqueue_scriptsincludes\scripts.php:6
actionwp_enqueue_scriptsincludes\scripts.php:7
actionadmin_enqueue_scriptsincludes\scripts.php:8
actionadmin_enqueue_scriptsincludes\scripts.php:9
actionadmin_headincludes\scripts.php:10
filterwoocommerce_single_product_summaryincludes\woocommerce-filter.php:9
filterwoocommerce_is_purchasableincludes\woocommerce-filter.php:10
actionrest_api_initmoralis\rest-api.php:8
filterfilter_web3_access_networkssolana\filters.php:7
filterfilter_web3_access_test_networkssolana\filters.php:8
actionwp_enqueue_scriptssolana\scripts.php:6
actionplugins_loadedupdates\automatic-updates.php:9
filterquery_varsweb3-access.php:45
actioninitweb3-access.php:125

Scheduled Events 1

metapress_send_subscription_renewal_reminders_event
Maintenance & Trust

Web3 Access Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0
Last updatedDec 3, 2025
PHP min version
Downloads10K

Community Trust

Rating84/100
Number of ratings6
Active installs60
Alternatives

Web3 Access Alternatives

elegro Crypto Payment

elegro Crypto Payment

elegro-payment

A
85

Increase your customers base by accepting cryptocurrencies.

20K No CVEs
Cryptocurrency Payment Gateway

Cryptocurrency Payment Gateway

cryptocurrency-payment-gateway

A
100

Digital Currency Payment Gateway for WooCommerce. Easily accept Bitcoin, Bitcoin Cash, Litecoin, Dogecoin, and more in your store.

500 No CVEs
EthPress – Web3 Login

EthPress – Web3 Login

ethpress

A
92

EthPress Web3 Login Wordpress Plugin adds the capability to connect with cryptocurrency wallets such as MetaMask or WalletConnect QR code.

100 No CVEs
Web3 – Crypto wallet Login & NFT token gating

Web3 – Crypto wallet Login & NFT token gating

web3-authentication

B
81

Users can sign up for your WordPress using their crypto wallets. Gate content based on NFTs owned. Web3 authentication plugin supports crypto wallets …

100 2 CVEs
thirdweb WP

thirdweb WP

thirdweb-wp

A
85

A community WordPress plugin for thirdweb. Turn your WordPress website into Web3 instantly and easily with thirdweb. 🚀💻🧩

30 No CVEs
Developer Profile

Web3 Access Developer Profile

RogueWebDesign

2 plugins · 160 total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Web3 Access

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/web3-access/images/ethereum.png/wp-content/plugins/web3-access/images/polygon.png/wp-content/plugins/web3-access/images/bnb.png/wp-content/plugins/web3-access/js/metapress-crypto-widgets.js/wp-content/plugins/web3-access/css/metapress-widgets.css/wp-content/plugins/web3-access/js/metapress-widget-loader.js/wp-content/plugins/web3-access/js/web3-access-functions.js/wp-content/plugins/web3-access/js/metapress-blockchain.js+9 more
Version Parameters
web3-access/js/metapress-crypto-widgets.js?ver=web3-access/css/metapress-widgets.css?ver=web3-access/js/metapress-widget-loader.js?ver=web3-access/js/web3-access-functions.js?ver=web3-access/js/metapress-blockchain.js?ver=web3-access/js/metapress-nft.js?ver=web3-access/js/metapress-payment-form.js?ver=web3-access/js/metapress-checkout.js?ver=web3-access/js/metapress-transactions.js?ver=web3-access/js/metapress-subscriptions.js?ver=web3-access/js/metapress-login.js?ver=web3-access/css/metapress-login.css?ver=web3-access/js/metapress-admin.js?ver=web3-access/css/metapress-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
metapress-crypto-widgetsmetapress-widget-loadermetapress-wallet-connect-buttonmetapress-login-formmetapress-admin-pagemetapress-token-listmetapress-network-settingsmetapress-checkout-form+2 more
HTML Comments
<!-- wp:shortcode -->[metapress-checkout]<!-- wp:shortcode -->[metapress-transactions]<!-- wp:shortcode -->[metapress-subscriptions]
Data Attributes
data-metapress-network-namedata-metapress-network-slugdata-metapress-network-chainiddata-metapress-token-addressdata-metapress-token-symbol
JS Globals
window.MetaPresswindow.web3AccessFunctionswindow.MetaPressBlockchainwindow.MetaPressNFTwindow.MetaPressPaymentFormwindow.MetaPressCheckout+5 more
REST Endpoints
/wp-json/web3-access/v1/settings/wp-json/web3-access/v1/validate-payment
Shortcode Output
[metapress-checkout][metapress-transactions][metapress-subscriptions][metapress-login]
FAQ

Frequently Asked Questions about Web3 Access