Does Flexmls® IDX Plugin have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Flexmls® IDX Plugin compatible with WordPress 7.1?

According to WordPress.org data, Flexmls® IDX Plugin 3.18 has been tested up to WordPress 7.1. Check the plugin's changelog for the latest compatibility information.

Is Flexmls® IDX Plugin compatible with PHP 7.4+?

Flexmls® IDX Plugin requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Flexmls® IDX Plugin updated?

Flexmls® IDX Plugin was last updated on Apr 8, 2026. Frequent updates are generally a positive security signal.

What is Flexmls® IDX Plugin's security score?

Flexmls® IDX Plugin has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Flexmls® IDX Plugin Security & Risk Analysis

wordpress.org/plugins/flexmls-idx

Add Flexmls® IDX listings, market statistics, IDX searches, and a contact form on your web site.

1K active installs v3.18 PHP 7.4+ WP 5.0+ Updated Apr 8, 2026

flexmlsidxmls-search

A · Safe

CVEs total6

Unpatched0

Last CVEMar 16, 2026

Plugin page Download

Safety Verdict

Is Flexmls® IDX Plugin Safe to Use in 2026?

Generally Safe

Score 89/100

Flexmls® IDX Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: Mar 16, 2026Updated 1mo ago

Risk Assessment

The flexmls-idx plugin exhibits a mixed security posture. While it demonstrates good practices in areas like the exclusive use of prepared statements for SQL queries and a notable absence of unpatched CVEs, significant concerns remain regarding its attack surface and output sanitization. The high number of AJAX handlers (14) with a substantial portion (12) lacking authentication checks presents a considerable risk. Furthermore, the taint analysis revealing flows with unsanitized paths, even if currently at a lower severity, is a warning sign that malicious input could potentially be processed without adequate validation.

The plugin's vulnerability history, despite having no currently unpatched CVEs, shows a pattern of past critical and medium severity issues, including Open Redirect, Deserialization, and Cross-site Scripting. This history suggests a recurring need for vigilant patching and careful code reviews. The lack of critical or high severity findings in the current static analysis is positive, but the 40% rate of properly escaped output remains a weakness, increasing the potential for stored or reflected XSS vulnerabilities if untrusted data is displayed without proper encoding.

In conclusion, the flexmls-idx plugin has strengths in its database query security and recent patch management. However, the significant number of unprotected AJAX endpoints and the identified unsanitized data flows are critical areas that require immediate attention. The past vulnerability types also indicate areas that developers should focus on for future code development and auditing. Addressing these weaknesses will be crucial for improving the overall security of the plugin.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
Low rate of properly escaped output
Past critical CVEs in history
Past medium CVEs in history
Bundled TinyMCE library

Vulnerabilities

6 published

Flexmls® IDX Plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

4 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Critical

Medium

Low

6 total CVEs

CVE-2026-25369medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Flexmls® IDX Plugin <= 3.15.9 - Reflected Cross-Site Scripting

Mar 16, 2026 Patched in 3.15.10 (4d)

CVE-2025-67585low · 3.4URL Redirection to Untrusted Site ('Open Redirect')

Flexmls® IDX <= 3.15.7 - Unauthenticated Open Redirect

Nov 29, 2025 Patched in 3.15.8 (13d)

CVE-2025-0863medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Flexmls® IDX <= 3.14.27 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 6, 2025 Patched in 3.14.29 (1d)

CVE-2025-26900critical · 9.8Deserialization of Untrusted Data

Flexmls® IDX <= 3.14.27 - Unauthenticated PHP Object Injection

Feb 22, 2025 Patched in 3.14.28 (10d)

CVE-2024-10552medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Flexmls® IDX Plugin <= 3.14.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via API parameters

Jan 24, 2025 Patched in 3.14.27 (1d)

CVE-2024-8719medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Flexmls® IDX Plugin <= 3.14.22 - Reflected Cross-Site Scripting

Oct 16, 2024 Patched in 3.14.23 (1d)

Version History

Flexmls® IDX Plugin Release Timeline

v3.18Current

v3.17

v3.16

v3.15.11

v3.15.91 CVE

CVE-2026-25369

v3.15.81 CVE

CVE-2026-25369

v3.15.72 CVEs

CVE-2026-25369 CVE-2025-67585

v3.15.62 CVEs

CVE-2026-25369 CVE-2025-67585

v3.15.52 CVEs

CVE-2026-25369 CVE-2025-67585

v3.15.42 CVEs

CVE-2026-25369 CVE-2025-67585

v3.15.32 CVEs

CVE-2026-25369 CVE-2025-67585

v3.15.22 CVEs

CVE-2026-25369 CVE-2025-67585

v3.15.12 CVEs

CVE-2026-25369 CVE-2025-67585

v3.152 CVEs

CVE-2026-25369 CVE-2025-67585

v3.14.302 CVEs

CVE-2026-25369 CVE-2025-67585

v3.14.292 CVEs

CVE-2026-25369 CVE-2025-67585

v3.14.283 CVEs

CVE-2025-0863 CVE-2026-25369 CVE-2025-67585

v3.14.274 CVEs

CVE-2025-0863 CVE-2025-26900 CVE-2026-25369 +1 more

v3.14.265 CVEs

CVE-2024-10552 CVE-2025-0863 CVE-2025-26900 +2 more

v3.14.255 CVEs

CVE-2024-10552 CVE-2025-0863 CVE-2025-26900 +2 more

Code Analysis

Analyzed Mar 16, 2026

Flexmls® IDX Plugin Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

560

373 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared4 total queries

Output Escaping

40% escaped933 total outputs

Data Flows · Security

4 unsanitized

Data Flow Analysis

8 flows4 with unsanitized paths

<fmcSearch> (pages\fmcSearch.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

12 unprotected

Flexmls® IDX Plugin Attack Surface

Entry Points18

Unprotected12

AJAX Handlers 14

authwp_ajax_fmcLeadGen_submitcomponents\lead-generation.php:22

noprivwp_ajax_fmcLeadGen_submitcomponents\lead-generation.php:23

authwp_ajax_fmcShortcodeContainerflexmls_connect.php:82

authwp_ajax_fmcLocationGeneratorflexmls_connect.php:83

authwp_ajax_tinymce_shortcodes_generateflexmls_connect.php:84

noprivwp_ajax_tinymce_shortcodes_generateflexmls_connect.php:85

authwp_ajax_fmcleadgen_shortcodeflexmls_connect.php:86

authwp_ajax_fmcleadgen_submitflexmls_connect.php:87

noprivwp_ajax_fmcleadgen_submitflexmls_connect.php:88

authwp_ajax_flexmls_connect_save_searchflexmls_connect.php:91

noprivwp_ajax_flexmls_connect_save_searchflexmls_connect.php:92

authwp_ajax_fmc_get_nginx_rulesflexmls_connect.php:95

authwp_ajax_fmcPortal_No_Thankspages\portal-popup.php:4

noprivwp_ajax_fmcPortal_No_Thankspages\portal-popup.php:5

Shortcodes 4

[lead_generation] components\lead-generation.php:19

[idx_frame] flexmls_connect.php:97

[lead_generation] flexmls_connect.php:98

[neighborhood_page] flexmls_connect.php:99

WordPress Hooks 81

actionadmin_noticesAdmin\Settings.php:284

actionadmin_noticesAdmin\Settings.php:294

actionshutdownAdmin\Settings.php:382

actionadmin_noticesAdmin\Settings.php:385

actionadmin_noticesAdmin\Settings.php:403

actionadmin_noticesAdmin\Settings.php:451

actionadmin_noticesAdmin\Settings.php:459

actionadmin_enqueue_scriptsflexmls_connect.php:70

actionadmin_print_footer_scriptsflexmls_connect.php:71

actionadmin_menuflexmls_connect.php:72

actionadmin_noticesflexmls_connect.php:73

actionflexmls_hourly_cache_cleanupflexmls_connect.php:74

actioninitflexmls_connect.php:75

actionparse_queryflexmls_connect.php:76

actionplugins_loadedflexmls_connect.php:77

actionplugins_loadedflexmls_connect.php:78

filterredirect_canonicalflexmls_connect.php:79

actionwidgets_initflexmls_connect.php:80

actionwp_enqueue_scriptsflexmls_connect.php:89

actionshutdownflexmls_connect.php:251

actionelementor/initflexmls_connect.php:587

actioninitflexmls_connect.php:612

actionwpflexmls_connect.php:615

actionwpflexmls_connect.php:616

actiondivi_extensions_initintegration\divi\divi.php:41

actionadmin_enqueue_scriptsintegration\divi\divi.php:42

actionelementor/editor/before_enqueue_stylesintegration\elementor\index.php:19

actionelementor/widgets/registerintegration\elementor\index.php:23

actionelementor/controls/controls_registeredintegration\elementor\index.php:128

actioninitintegration\wpbakery\components\VCE_component.php:15

actionadmin_noticesintegration\wpbakery\components\VCE_component.php:37

actioninitintegration\wpbakery\components\VCE_fmcAccount.php:8

actioninitintegration\wpbakery\components\VCE_fmcIDXLinksWidget.php:8

actioninitintegration\wpbakery\components\VCE_fmcLeadGen.php:10

actioninitintegration\wpbakery\components\VCE_fmcListingDetails.php:8

actioninitintegration\wpbakery\components\VCE_fmcLocationLinks.php:8

actioninitintegration\wpbakery\components\VCE_fmcMarketStats.php:10

actioninitintegration\wpbakery\components\VCE_fmcPhotos.php:8

actioninitintegration\wpbakery\components\VCE_fmcSearch.php:8

actioninitintegration\wpbakery\components\VCE_fmcSearchResults.php:8

actionadmin_enqueue_scriptsintegration\wpbakery\index.php:17

actionwp_enqueue_scriptsintegration\wpbakery\index.php:18

actionvc_mapper_init_beforeintegration\wpbakery\index.php:20

filterbody_classpages\full-page.php:54

filterwp_titlepages\full-page.php:55

filterpre_get_document_titlepages\full-page.php:56

filterthe_postpages\full-page.php:57

filterthe_contentpages\full-page.php:58

actionwp_headpages\full-page.php:73

filterpre_get_document_titlepages\full-page.php:83

filterwp_titlepages\full-page.php:84

filterthe_postpages\full-page.php:85

filterthe_contentpages\full-page.php:86

actionwp_headpages\full-page.php:101

filterwpseo_titlepages\listing-details.php:16

filterwpseo_canonicalpages\listing-details.php:17

filterwp_robotspages\listing-details.php:18

filterrank_math/frontend/canonicalpages\listing-details.php:21

filteraioseo_canonical_urlpages\listing-details.php:22

filterthe_seo_framework_meta_canonicalpages\listing-details.php:23

filterseopress_canonicalpages\listing-details.php:24

actionwp_headpages\listing-details.php:26

actionwp_headpages\listing-details.php:27

filterwpseo_frontend_presenterspages\listing-details.php:30

actionrank_math/headpages\listing-details.php:33

filteraioseo_facebook_tagspages\listing-details.php:36

filteraioseo_twitter_tagspages\listing-details.php:37

filterthe_seo_framework_og_outputpages\listing-details.php:43

filterjetpack_enable_open_graphpages\listing-details.php:46

actionwp_headpages\listing-details.php:61

actiontemplate_redirectpages\listing-details.php:1194

filterwpseo_canonicalpages\search-results.php:23

filterrank_math/frontend/canonicalpages\search-results.php:26

filteraioseo_canonical_urlpages\search-results.php:27

filterthe_seo_framework_meta_canonicalpages\search-results.php:28

filterseopress_canonicalpages\search-results.php:29

actionwp_headpages\search-results.php:62

filterflexmls_searchable_fieldspages\search-results.php:190

filterflexmls_searchable_fieldspages\search-results.php:268

actionadmin_noticesSparkAPI\Core.php:500

actionadmin_noticesSparkAPI\Core.php:809

Scheduled Events 1

flexmls_hourly_cache_cleanup

Maintenance & Trust

Flexmls® IDX Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested7.1

Last updatedApr 8, 2026

PHP min version7.4

Downloads138K

Community Trust

Rating70/100

Number of ratings22

Active installs1K

Alternatives

Flexmls® IDX Plugin Alternatives

IDXPro

idxpro

IDXPro is an MLS Search Application. It's designed to blend seamlessly into your website. Try it for free!

10 No CVEs

Estatik Real Estate Plugin

estatik

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals …

10K 2 unpatched

Optima Express IDX

optima-express

100

Embed real estate property listings, market reports & MLS data on your WordPress site. Responsive design, great SEO & proven lead capture.

8K 1 CVE

IMPress for IDX Broker

idx-broker-platinum

IMPress for IDX Broker is now the IMPress family of plugins all-in-one. IMPress Listings and IMPress Agents have been consolidated with this already p …

7K 5 CVEs

Realtyna Organic IDX plugin + WPL Real Estate

real-estate-listing-realtyna-wpl

Your comprehensive solution for creating dynamic and feature-rich real estate websites on WordPress. Designed to cater to the diverse needs of real es …

2K 4 CVEs

Developer Profile

Flexmls® IDX Plugin Developer Profile

flexmls

1 plugin · 1K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

5 days

View full developer profile

Detection Fingerprints

How We Detect Flexmls® IDX Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/flexmls-idx/css/fmc-styles.css/wp-content/plugins/flexmls-idx/js/fmc-scripts.js/wp-content/plugins/flexmls-idx/js/flexmls-connect.js/wp-content/plugins/flexmls-idx/js/jquery.sparkform.js/wp-content/plugins/flexmls-idx/js/jquery.fancybox.js/wp-content/plugins/flexmls-idx/js/tinymce_plugin.js/wp-content/plugins/flexmls-idx/js/lead-generation.js/wp-content/plugins/flexmls-idx/js/map-component.js+8 more

Script Paths

/wp-content/plugins/flexmls-idx/js/fmc-scripts.js/wp-content/plugins/flexmls-idx/js/flexmls-connect.js/wp-content/plugins/flexmls-idx/js/jquery.sparkform.js/wp-content/plugins/flexmls-idx/js/jquery.fancybox.js/wp-content/plugins/flexmls-idx/js/tinymce_plugin.js/wp-content/plugins/flexmls-idx/js/lead-generation.js+3 more

Version Parameters

flexmls-idx/css/fmc-styles.css?ver=flexmls-idx/js/fmc-scripts.js?ver=flexmls-idx/js/flexmls-connect.js?ver=flexmls-idx/js/jquery.sparkform.js?ver=flexmls-idx/js/jquery.fancybox.js?ver=flexmls-idx/js/tinymce_plugin.js?ver=flexmls-idx/js/lead-generation.js?ver=flexmls-idx/js/map-component.js?ver=flexmls-idx/js/search-results-pagination.js?ver=flexmls-idx/js/settings.js?ver=flexmls-idx/css/widget.css?ver=flexmls-idx/css/search-results.css?ver=flexmls-idx/css/listing-details.css?ver=flexmls-idx/css/neighborhood.css?ver=flexmls-idx/css/map-component.css?ver=flexmls-idx/css/lead-generation.css?ver=

HTML / DOM Fingerprints

CSS Classes

fmc-widgetflexmls-idxfmc-listing-search-widgetfmc-search-formfmc-lead-gen-widgetfmc-lead-formfmc-map-componentfmc-listing-details+1 more

HTML Comments

+3 more

Data Attributes

data-fmc-api-keydata-fmc-map-latitudedata-fmc-map-longitudedata-fmc-map-zoom

JS Globals

fmc_varsFlexMLS_Connect

REST Endpoints

/wp-json/flexmls-idx/v1/search/wp-json/flexmls-idx/v1/listing/wp-json/flexmls-idx/v1/neighborhood

Shortcode Output

[idx_frame][lead_generation][neighborhood_page]

FAQ

Flexmls® IDX Plugin Security & Risk Analysis

Is Flexmls® IDX Plugin Safe to Use in 2026?

Generally Safe

Key Concerns

Flexmls® IDX Plugin Security Vulnerabilities

CVEs by Year

Severity Breakdown

Flexmls® IDX Plugin Release Timeline

Flexmls® IDX Plugin Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Flexmls® IDX Plugin Attack Surface

AJAX Handlers 14

Shortcodes 4

Scheduled Events 1

Flexmls® IDX Plugin Maintenance & Trust

Maintenance Signals

Community Trust

Flexmls® IDX Plugin Alternatives

IDXPro

Estatik Real Estate Plugin

Optima Express IDX

IMPress for IDX Broker

Realtyna Organic IDX plugin + WPL Real Estate

Flexmls® IDX Plugin Developer Profile

How We Detect Flexmls® IDX Plugin

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Flexmls® IDX Plugin