Bug #1

There is a security vulnerability in the plugin that allows any authenticated user (for example, with the Subscriber role), without needing administrator privileges, to execute a critical action.

By accessing the following endpoint while logged in, the system deletes the mcw-datatime and mcw-currencies transients, drops the mcw_coins database table, and then automatically recreates it.

Domain.com/wp-admin/admin-ajax.php?action=mcw_clear_cache

This action does not include any permission validation (current_user_can) nor nonce protection.

If this endpoint is called repeatedly or at scale, it can cause constant table deletion and recreation, excessive resource consumption, and continuous data regeneration, which may lead to a Denial of Service (DoS) condition and seriously affect the stability and performance of the entire platform.

Bug #2

The save_settings() function in the Massive Cryptocurrency Widgets plugin allows saving global settings via an admin_post_ action, but it does not check permissions or nonce. This causes a serious vulnerability: any authenticated user (even Subscriber) can modify the plugin’s options by sending a POST request to Domain.com/wp-admin/admin-post.php?action=mcw_save_settings, allowing changes to the API key, license, custom CSS, etc.

Solution: add at the beginning of save_settings():

if ( ! current_user_can( ‘manage_options’ ) ) { wp_die( ‘You do not have sufficient permissions.’ ); } check_admin_referer( ‘mcw_save_settings’ );

And in the settings form (includes/settings.php), before closing the <form>:

This ensures only administrators with a valid request can save changes, completely closing the vulnerability.

Please update this plugin and release a fix.

In the new plugin update released today, the issue still persists. After reviewing the code, I identified that the problem comes from the RSS handling function.

The specific error is:

PHP Fatal error: Uncaught Error: Call to a member function get_link() on null in /wp-content/plugins/massive-cryptocurrency-widgets/includes/shortcodes.php:1103

The problem is located in the following file:

/wp-content/plugins/massive-cryptocurrency-widgets/includes/shortcodes.php

Find this line:

$media = $item->get_enclosure()->get_link();

Replace it with:

$enclosure = $item->get_enclosure(); $media = ($enclosure) ? $enclosure->get_link() : ’’;

The error occurs because the code assumes that an enclosure always exists, but many RSS feeds do not include media, causing get_enclosure() to return null and trigger the fatal error.

With this change, the issue is resolved. It would be great if you could release an official update including this fix so all users can benefit from it. In my case, applying this adjustment completely solved the problem.

The converters have an issue: they are not working. I can see that several users are experiencing the same problem, yet no one is responding here.

Is this code no longer receiving updates? Are its creators still selling a product that currently does not work?

Hi Guys,

I have transferred my Widget to another site and reactivated the license but now the cryptocurrency prices are incorrect. For example Bitcoin is showing a value of 7,404,541.85!! How do i fix this?

Prices are not updating.They always show $0.0000000000

Hello. I used to have free version of plugin and it was working fine. As far as i installed pro version all coins icons get supper oversized for no reason. wordpress login: temp pass: F&QPHUT%(2(4S2H!6O&Bp&cz

Hi there, I would like to ask if there is possibility to use data from the plugin as variables in the texts (without containers or styles). We want to make seo texts like faq answers about crypto price, ex. The [crypto_name] price today is [crypto_name price]. Something like that. And if not yet, could you implement something like that?

Hi Guys,

I have 1 ExhangePress, 1 Forex, 7 Massive and 7 Coinpress licenses. I run one site only where I use Massive and Coinpress. – Licenses attached.

But I have an issue, there are issues with php 8.4, and I cannot use the backend. I have imported the widgets from an old site, but I cannot change anything.

Can I swap and use the HTML / PHP versions rather ?

In massive I get :

[11-Mar-2025 23:54:16 UTC] PHP Fatal error: Uncaught TypeError: array_merge(): Argument #2 must be of type array, null given in /site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php:399 Stack trace: #0 /site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php(399): array_merge() #1 /wp-admin/includes/template.php(1456): MassiveCrypto->meta_widget_settings() #2 /wp-admin/edit-form-advanced.php(722): do_meta_boxes() #3 /wp-admin/post.php(206): require(’...’) #4 {main} thrown in /site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php on line 399

Line 399 > $options = (get_post_status($post->ID) === ‘auto-draft’) ? $this->options : array_merge($this->options, json_decode($post->post_content, true));

No luck trying to fix it ..

In Coinpress I get :

[11-Mar-2025 23:57:48 UTC] PHP Fatal error: Uncaught TypeError: array_merge(): Argument #2 must be of type array, null given in /site-content/apps/coinpress/coinmarketcap.php:878 Stack trace: #0 /site-content/apps/coinpress/coinmarketcap.php(878): array_merge() #1 /wp-admin/includes/template.php(1456): Coinmarketcap_Prices->editor_content() #2 /wp-admin/edit-form-advanced.php(745): do_meta_boxes() #3 /wp-admin/post.php(206): require(’...’) #4 {main} thrown in /site-content/apps/coinpress/coinmarketcap.php on line 878

Line 878 > $options = (get_post_status($post->ID) === ‘auto-draft’) ? $this->options : array_merge($this->options, json_decode($post->post_content, true));

It works on the front-end, but I cannot change the calculators or add anything new ..

I don’t use so much of it, for massive I use the calcs, and I use the shotcodes to calculate prices ..

$product_id = $post->ID; global $membership; $membership = get_the_title(); // Member – 30 usd if ( $product_id == “262335”) { $sats_year = do_shortcode(“[mcrypto coin=’BTC’ multiply=’0.3’]”); $mBCH_year = do_shortcode(“[mcrypto coin=’BCH’ multiply=’0.3’]”); } // Creator – 149 usd if ( $product_id == “262343”) { $sats_year = do_shortcode(“[mcrypto coin=’BTC’ multiply=’1.495’]”); $mBCH_year = do_shortcode(“[mcrypto coin=’BCH’ multiply=’1.495’]”); } // Builder – 1750 usd if ( $product_id == “263168”) { $sats_year = do_shortcode(“[mcrypto coin=’BTC’ multiply=’17.5’]”); $mBCH_year = do_shortcode(“[mcrypto coin=’BCH’ multiply=’0.0175’]”); } ?>

and in Coinpress I use the pages, which works .. but there are no tickers or anything else available.

Can you please send me your PHP versions ?

Regards

Hello, how does the widget work? Do we have to buy API access to view the data or does it show precious metal charts, like gold, silver and also currency, like forex??

Hello, I’ve just upgraded this plugin.

Do I just update the licence number in wordpress?

Hi , my customer bought the follow theme ;

and your plug in looks like its free with that theme.

But we couldn’t activate with Envato Purchase Code belong to the related theme. How we can solve this problem?

Our SEO claims that wss://ws.coincap.io/prices?assets=ALL is not loading over HTTPS causing an issue with our SSL?

I want to activate my version. But when I enter the settings page, I find it empty.

[03-Nov-2024 03:32:01 UTC] PHP Warning: Attempt to read property “post_status” on null in /var/www/site.com/site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php on line 732 [03-Nov-2024 03:32:46 UTC] PHP Fatal error: Uncaught TypeError: array_merge(): Argument #2 must be of type array, null given in /var/www/site.com/site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php:407 Stack trace: #0 /var/www/site.com/site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php(407): array_merge() #1 /var/www/site.com/wp-admin/includes/template.php(1456): MassiveCrypto->meta_widget_settings() #2 /var/www/site.com/wp-admin/edit-form-advanced.php(723): do_meta_boxes() #3 /var/www/site.com/wp-admin/post.php(206): require(’...’) #4 {main} thrown in /var/www/site.com/site-content/apps/massive-cryptocurrency-widgets/massive-cryptocurrency-widgets.php on line 407

Hi, I bought the plugin for one site usage, but I need it for two other websites. how can I do it

I bought the plugin for one site usage, but I need it for two other websites. how can do it

Hi,

I am having an Issue between the plugin and WPML. On the Table after clicking on a coin, the page is directed to the original language, rather than the language that is active at the moment. How can this be fixed?

Hi, I currently have to plugins of yours: “Massive Crypto Widgets” and “Massive Stocks Widgets”.

I recently downloaded Massive Crypto and since then I see a problem in the other one, Massive Stocks. The charts of Massive Stocks give me a “Undefined” error message on each chart.

Hello,

If I want to display the total market cap, with shorten set to true it works, it will show me 40 T , and not a long string of numbers ex: [coinmc type=”total_marketcap” format=”symbol” shorten=”true”

but I want to show the total Market Cap for BITCOIN, shorten does not work and a long string of numbers is shown ex: Bitcoin Market Cap: $1,239,259,017,994

[coinmc type=”marketcap” coin=”btc” shorten=”true”]

Am I missing something in the code or this feature is not available for crypto-coins marketcaps?