WP-Safety

Buying Buddy IDX CRM – Real Estate MLS Plugin Security & Risk Analysis

wordpress.org/plugins/buying-buddy-idx-crm

Transform your WordPress site into a powerful real estate platform with seamless MLS integration, IDX search, and built-in CRM - no databases or techn …

400 active installs v2.4.1 PHP 7.0+ WP 5.0+ Updated Mar 9, 2026
idxidx-searchproperty-listingsreal-estate-crmreal-estate-plugin
97
A · Safe
CVEs total2
Unpatched0
Last CVEJun 19, 2025
Download
Safety Verdict

Is Buying Buddy IDX CRM – Real Estate MLS Plugin Safe to Use in 2026?

Generally Safe

Score 97/100

Buying Buddy IDX CRM – Real Estate MLS Plugin has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jun 19, 2025Updated 25d ago
Risk Assessment

The 'buying-buddy-idx-crm' plugin v2.4.1 presents a mixed security posture. While it demonstrates several good security practices, such as 100% prepared SQL statements and a significant majority of properly escaped output, there are notable areas of concern. The presence of the `unserialize` function is a critical red flag, as it can lead to remote code execution vulnerabilities if not handled with extreme care and validation of the serialized data's origin. This is further exacerbated by four flows with unsanitized paths identified during taint analysis, with one classified as high severity. Although there are no currently unpatched CVEs, the historical presence of two CVEs, specifically Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), suggests a history of exploitable flaws that could potentially reappear if similar coding errors are made. The plugin has a relatively small attack surface with no directly unprotected entry points, which is positive. However, the combination of dangerous functions and unsanitized taint flows indicates that diligent code review and patching are essential.

Key Concerns

  • Dangerous function unserialize present
  • High severity taint flow found
  • Flows with unsanitized paths (4)
  • Past high severity CVE recorded
  • Past medium severity CVE recorded
  • Output escaping not fully proper (89%)
Vulnerabilities
2

Buying Buddy IDX CRM – Real Estate MLS Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-50037medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Buying Buddy IDX CRM <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 19, 2025 Patched in 2.3.1 (22d)
CVE-2024-52446high · 8.8Cross-Site Request Forgery (CSRF)

Buying Buddy IDX CRM <= 1.2.8 - Cross-Site Request Forgery to PHP Object Injection

Nov 18, 2024 Patched in 2.2.0 (165d)
Code Analysis
Analyzed Mar 16, 2026

Buying Buddy IDX CRM – Real Estate MLS Plugin Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
18
149 escaped
Nonce Checks
5
Capability Checks
2
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$orderarr = unserialize(base64_decode(sanitize_text_field($_GET["buyingbuddy_orderstr"])));includes\class-buying-buddy-admin.php:117
unserialize$unserialized = @unserialize($options);includes\class-buying-buddy-updater.php:115

Output Escaping

89% escaped167 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
override_canonical (includes\class-buying-buddy-metadata.php:224)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Buying Buddy IDX CRM – Real Estate MLS Plugin Attack Surface

Entry Points3
Unprotected0

REST API Routes 2

GET/wp-json/buyingbuddy/api/settings/(?P<acid>[\w-]+)includes\class-buying-buddy-public.php:274
GET/wp-json/buyingbuddy/api/widget-theme/(?P<acid>[\w-]+)(?:/(?P<theme_id>[\w-]+))?includes\class-buying-buddy-public.php:279

Shortcodes 1

[mbb_widget] includes\class-buying-buddy-public.php:437
WordPress Hooks 68
actionplugins_loadedbuying-buddy.php:66
actionshutdownincludes\class-buying-buddy-metadata.php:129
filterwpseo_titleincludes\class-buying-buddy-metadata.php:455
filterwpseo_metadescincludes\class-buying-buddy-metadata.php:456
filterwpseo_opengraph_titleincludes\class-buying-buddy-metadata.php:457
filterwpseo_opengraph_descincludes\class-buying-buddy-metadata.php:458
filterwpseo_opengraph_urlincludes\class-buying-buddy-metadata.php:459
filterwpseo_twitter_titleincludes\class-buying-buddy-metadata.php:460
filterwpseo_twitter_descriptionincludes\class-buying-buddy-metadata.php:461
filterwpseo_twitter_imageincludes\class-buying-buddy-metadata.php:462
filterwpseo_json_ld_outputincludes\class-buying-buddy-metadata.php:464
filterwpseo_schema_graphincludes\class-buying-buddy-metadata.php:465
filteraioseo_schema_outputincludes\class-buying-buddy-metadata.php:475
filterrank_math/titleincludes\class-buying-buddy-metadata.php:481
filterrank_math/descriptionincludes\class-buying-buddy-metadata.php:482
filterrank_math/opengraph/facebook/titleincludes\class-buying-buddy-metadata.php:483
filterrank_math/opengraph/facebook/descriptionincludes\class-buying-buddy-metadata.php:484
filterrank_math/opengraph/twitter/titleincludes\class-buying-buddy-metadata.php:485
filterrank_math/opengraph/twitter/descriptionincludes\class-buying-buddy-metadata.php:486
filterrank_math/json_ldincludes\class-buying-buddy-metadata.php:488
filterthe_seo_framework_loadincludes\class-buying-buddy-metadata.php:495
filterthe_seo_framework_can_runincludes\class-buying-buddy-metadata.php:496
filterthe_seo_framework_ldjson_scriptsincludes\class-buying-buddy-metadata.php:499
filterthe_seo_framework_ldjson_enabledincludes\class-buying-buddy-metadata.php:500
filterthe_seo_framework_receive_json_dataincludes\class-buying-buddy-metadata.php:501
filterthe_seo_framework_scripts_outputincludes\class-buying-buddy-metadata.php:502
filterwpengine_cache_should_cacheincludes\class-buying-buddy-public.php:122
filterwpengine_purge_all_cacheincludes\class-buying-buddy-public.php:123
filterdo_rocket_generate_caching_filesincludes\class-buying-buddy-public.php:126
filterrocket_cache_reject_uriincludes\class-buying-buddy-public.php:127
filterw3tc_can_cache_pageincludes\class-buying-buddy-public.php:138
filterautoptimize_filter_cache_createincludes\class-buying-buddy-public.php:146
filterwidget_textincludes\class-buying-buddy-public.php:440
filterwpengine_cache_should_cacheincludes\class-buying-buddy-public.php:543
filterdo_rocket_generate_caching_filesincludes\class-buying-buddy-public.php:544
filterw3tc_can_cache_pageincludes\class-buying-buddy-public.php:545
actionwp_headincludes\class-buying-buddy-public.php:589
actiontemplate_redirectincludes\class-buying-buddy-public.php:655
filterwpengine_cache_should_cacheincludes\class-buying-buddy-request.php:139
filterdo_rocket_generate_caching_filesincludes\class-buying-buddy-request.php:140
filterw3tc_can_cache_pageincludes\class-buying-buddy-request.php:141
actionadmin_noticesincludes\class-buying-buddy-request.php:267
actionwp_footerincludes\class-buying-buddy-request.php:308
filterpre_set_site_transient_update_pluginsincludes\class-buying-buddy-updater.php:79
filterauto_update_pluginincludes\class-buying-buddy-updater.php:82
actionadmin_enqueue_scriptsincludes\class-buying-buddy.php:87
actionadmin_enqueue_scriptsincludes\class-buying-buddy.php:88
actionadmin_menuincludes\class-buying-buddy.php:89
actionadmin_initincludes\class-buying-buddy.php:90
actioninitincludes\class-buying-buddy.php:108
actioninitincludes\class-buying-buddy.php:109
actionrest_api_initincludes\class-buying-buddy.php:110
actionwp_enqueue_scriptsincludes\class-buying-buddy.php:111
actionwp_enqueue_scriptsincludes\class-buying-buddy.php:112
actionplugins_loadedincludes\class-buying-buddy.php:116
actioninitincludes\class-buying-buddy.php:117
actiontemplate_redirectincludes\class-buying-buddy.php:118
actiontemplate_redirectincludes\class-buying-buddy.php:121
filterpre_get_document_titleincludes\class-buying-buddy.php:124
filterdocument_title_partsincludes\class-buying-buddy.php:125
filterwp_titleincludes\class-buying-buddy.php:126
filterthe_titleincludes\class-buying-buddy.php:127
actionwp_headincludes\class-buying-buddy.php:130
actionwp_headincludes\class-buying-buddy.php:133
actiontemplate_redirectincludes\class-buying-buddy.php:134
filterwp_page_menu_argsincludes\class-buying-buddy.php:137
filterthe_contentincludes\class-buying-buddy.php:140
actionwp_footerincludes\class-buying-buddy.php:141
Maintenance & Trust

Buying Buddy IDX CRM – Real Estate MLS Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.0
Downloads16K

Community Trust

Rating100/100
Number of ratings6
Active installs400
Alternatives

Buying Buddy IDX CRM – Real Estate MLS Plugin Alternatives

Optima Express IDX

Optima Express IDX

optima-express

A
100

Embed real estate property listings, market reports & MLS data on your WordPress site. Responsive design, great SEO & proven lead capture.

8K 1 CVE
Showcase IDX Real Estate Search & Lead Capture

Showcase IDX Real Estate Search & Lead Capture

showcase-idx

A
100

Add MLS listings to your website and capture more leads, all with one plugin! Showcase IDX is a top-performing real estate search plugin that's S &hellip;

2K No CVEs
My IDX Home Search

My IDX Home Search

my-idx-home-search

A
91

Supercharge your real estate website for lead generation with a powerful IDX Home Search made by the creators of the leading MLS search for Facebook.

200 2 CVEs
VistaWP – IDX Feeds for Page Builders

VistaWP – IDX Feeds for Page Builders

vistawp

A
100

VistaWP is an IDX plugin that displays MLS data on any page using simple shortcodes, compatible with any page builder

10 No CVEs
Estatik Real Estate Plugin

Estatik Real Estate Plugin

estatik

F
24

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched
Developer Profile

Buying Buddy IDX CRM – Real Estate MLS Plugin Developer Profile

Buying Buddy

1 plugin · 400 total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
94 days
View full developer profile
Detection Fingerprints

How We Detect Buying Buddy IDX CRM – Real Estate MLS Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/buying-buddy-idx-crm/css/bootstrap-4.6.2.css/wp-content/plugins/buying-buddy-idx-crm/css/buying-buddy-admin.css/wp-content/plugins/buying-buddy-idx-crm/js/bootstrap.min.js/wp-content/plugins/buying-buddy-idx-crm/js/clipboard-polyfill-4.0.0.js/wp-content/plugins/buying-buddy-idx-crm/js/buying-buddy-admin-script.js
Script Paths
/wp-content/plugins/buying-buddy-idx-crm/js/bootstrap.min.js/wp-content/plugins/buying-buddy-idx-crm/js/clipboard-polyfill-4.0.0.js/wp-content/plugins/buying-buddy-idx-crm/js/buying-buddy-admin-script.js
Version Parameters
buying-buddy-idx-crm/css/bootstrap-4.6.2.css?ver=buying-buddy-idx-crm/css/buying-buddy-admin.css?ver=buying-buddy-idx-crm/js/bootstrap.min.js?ver=buying-buddy-idx-crm/js/clipboard-polyfill-4.0.0.js?ver=buying-buddy-idx-crm/js/buying-buddy-admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
buyingbuddy-settings
HTML Comments
<!-- START Buying Buddy Shortcode --><!-- END Buying Buddy Shortcode -->
Data Attributes
data-buying-buddy-map-latdata-buying-buddy-map-lngdata-buying-buddy-map-zoomdata-buying-buddy-map-type
JS Globals
buying_buddy_php_vars
Shortcode Output
[buying_buddy_idx_crm]
FAQ

Frequently Asked Questions about Buying Buddy IDX CRM – Real Estate MLS Plugin