WP-Safety

Houzez Property Feed Security & Risk Analysis

wordpress.org/plugins/houzez-property-feed

Automatically import properties to Houzez from estate agency CRMs and export to portals

1K active installs v2.5.42 PHP + WP 3.8+ Updated Feb 23, 2026
houzezhouzez-import-propertyproperty-exportproperty-importreal-estate
98
A · Safe
CVEs total2
Unpatched0
Last CVEMar 29, 2025
Plugin page Download
Safety Verdict

Is Houzez Property Feed Safe to Use in 2026?

Generally Safe

Score 98/100

Houzez Property Feed has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 29, 2025Updated 1mo ago
Risk Assessment

The houzez-property-feed v2.5.42 plugin exhibits a mixed security posture. While it demonstrates some good security practices such as a high percentage of SQL queries using prepared statements and a substantial number of output escaping routines, significant concerns remain. The presence of 8 AJAX handlers, with a concerning 3 lacking authentication checks, presents a direct attack vector. Furthermore, 27 out of 43 analyzed data flows had unsanitized paths, with 12 flagged as high severity, indicating potential risks such as path traversal or injection vulnerabilities that could be exploited by an attacker.

The plugin's vulnerability history, with 2 known CVEs including a past high-severity path traversal and CSRF vulnerability, suggests a recurring pattern of exploitable weaknesses. Although there are currently no unpatched vulnerabilities, the historical prevalence of these types of issues, coupled with the static analysis findings of unsanitized paths and insecure AJAX endpoints, warrants caution. The plugin has several strengths in terms of secure coding practices like prepared statements and output escaping, but the identified vulnerabilities and critical data flow issues create a notable risk profile that requires attention.

Key Concerns

  • 3 unprotected AJAX handlers
  • 12 high severity taint flows (unsanitized paths)
  • History of Path Traversal vulnerability
  • History of CSRF vulnerability
  • 27 flows with unsanitized paths
  • Only 1 capability check identified
  • 2 dangerous functions (exec, unserialize)
Vulnerabilities
2

Houzez Property Feed Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-30793high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Houzez Property Feed <= 2.5.4 - Unauthenticated Arbitrary File Download

Mar 29, 2025 Patched in 2.5.5 (11d)
CVE-2025-0808medium · 4.3Cross-Site Request Forgery (CSRF)

Houzez Property Feed <= 2.4.21 - Cross-Site Request Forgery to Property Feed Export Deletion

Feb 11, 2025 Patched in 2.4.22 (4d)
Code Analysis
Analyzed Mar 16, 2026

Houzez Property Feed Code Analysis

Dangerous Functions
6
Raw SQL Queries
21
85 prepared
Unescaped Output
224
583 escaped
Nonce Checks
15
Capability Checks
1
File Operations
195
External Requests
114
Bundled Libraries
1

Dangerous Functions Found

execexec($command);cron-import.php:420
execexec($command);cron-import.php:526
execexec($command);includes\class-houzez-property-feed-ajax.php:598
unserializeelseif ( @unserialize($data) !== false )includes\class-houzez-property-feed-ajax.php:626
unserializereturn unserialize($data);includes\class-houzez-property-feed-ajax.php:628
execexec("which wget", $output, $result);includes\views\admin-settings-import-settings-advanced.php:52

Bundled Libraries

Select2

SQL Query Safety

80% prepared106 total queries

Output Escaping

72% escaped807 total outputs
Data Flows
27 unsanitized

Data Flow Analysis

25 flows27 with unsanitized paths
<download> (download.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Houzez Property Feed Attack Surface

Entry Points8
Unprotected3

AJAX Handlers 8

authwp_ajax_houzez_property_feed_fetch_xml_nodesincludes\class-houzez-property-feed-ajax.php:14
authwp_ajax_houzez_property_feed_fetch_csv_fieldsincludes\class-houzez-property-feed-ajax.php:16
authwp_ajax_houzez_property_feed_draw_automatic_imports_tableincludes\class-houzez-property-feed-ajax.php:18
authwp_ajax_houzez_property_feed_get_running_statusincludes\class-houzez-property-feed-ajax.php:20
authwp_ajax_houzez_property_feed_import_properties_batchincludes\class-houzez-property-feed-ajax.php:22
noprivwp_ajax_houzez_property_feed_import_properties_batchincludes\class-houzez-property-feed-ajax.php:23
authwp_ajax_houzez_property_feed_import_importincludes\class-houzez-property-feed-ajax.php:25
authwp_ajax_houzez_property_feed_test_property_import_detailsincludes\class-houzez-property-feed-ajax.php:27
WordPress Hooks 64
actionadmin_noticesincludes\class-houzez-property-feed-admin.php:14
actionadmin_initincludes\class-houzez-property-feed-admin.php:16
filterhouzez_admin_sub_menusincludes\class-houzez-property-feed-admin.php:18
actionadmin_enqueue_scriptsincludes\class-houzez-property-feed-admin.php:22
actionadmin_enqueue_scriptsincludes\class-houzez-property-feed-admin.php:23
actionrestrict_manage_postsincludes\class-houzez-property-feed-admin.php:25
filterrequestincludes\class-houzez-property-feed-admin.php:26
actionadmin_initincludes\class-houzez-property-feed-cron.php:14
actionadmin_initincludes\class-houzez-property-feed-cron.php:15
actionadmin_initincludes\class-houzez-property-feed-cron.php:17
filtercron_schedulesincludes\class-houzez-property-feed-cron.php:19
actionhouzezpropertyfeedcronhookincludes\class-houzez-property-feed-cron.php:21
actionhouzezpropertyfeedcronhookincludes\class-houzez-property-feed-cron.php:22
actionhouzez_record_activitiesincludes\class-houzez-property-feed-export-enquiries.php:14
actionadmin_initincludes\class-houzez-property-feed-export.php:14
actionadmin_initincludes\class-houzez-property-feed-export.php:16
actionadmin_initincludes\class-houzez-property-feed-export.php:18
actionadmin_initincludes\class-houzez-property-feed-export.php:20
filterhouzez_property_feed_export_property_dataincludes\class-houzez-property-feed-export.php:22
actionadmin_initincludes\class-houzez-property-feed-import.php:14
actionadmin_initincludes\class-houzez-property-feed-import.php:16
actionadmin_initincludes\class-houzez-property-feed-import.php:18
actionadmin_initincludes\class-houzez-property-feed-import.php:20
actionadmin_initincludes\class-houzez-property-feed-import.php:22
actionhouzez_property_feed_property_importedincludes\class-houzez-property-feed-import.php:24
actionhouzez_property_feed_property_importedincludes\class-houzez-property-feed-import.php:25
actionhouzez_property_feed_property_importedincludes\class-houzez-property-feed-import.php:26
filterhouzez_property_feed_xml_mapped_field_valueincludes\class-houzez-property-feed-import.php:28
filterhouzez_property_feed_csv_mapped_field_valueincludes\class-houzez-property-feed-import.php:29
actionadd_meta_boxesincludes\class-houzez-property-feed-import.php:31
actionhouzez_property_feed_post_import_propertiesincludes\class-houzez-property-feed-import.php:33
actionhouzez_property_feed_property_importedincludes\class-houzez-property-feed-import.php:35
actionhouzez_property_feed_property_importedincludes\class-houzez-property-feed-import.php:36
actionadded_post_metaincludes\class-houzez-property-feed-import.php:1385
actionupdated_post_metaincludes\class-houzez-property-feed-import.php:1386
actionadmin_initincludes\class-houzez-property-feed-install.php:22
actionadmin_initincludes\class-houzez-property-feed-install.php:23
filterhouzez_property_feed_pro_activeincludes\class-houzez-property-feed-license.php:16
filterhouzez_property_feed_pro_statusincludes\class-houzez-property-feed-license.php:18
actionadmin_initincludes\class-houzez-property-feed-license.php:20
actioninitincludes\class-houzez-property-feed-redirect.php:15
actioninitincludes\class-houzez-property-feed-redirect.php:16
actionadmin_initincludes\class-houzez-property-feed-settings.php:14
actionadmin_initincludes\class-houzez-property-feed-settings.php:16
actionwpml_loadedincludes\class-houzez-property-feed-wpml.php:16
filterhouzez_property_feed_export_kyero_property_dataincludes\class-houzez-property-feed-wpml.php:24
actionpre_get_postsincludes\class-houzez-property-feed-wpml.php:25
actionhouzez_property_feed_export_cron_endincludes\class-houzez-property-feed-wpml.php:26
actionsave_postincludes\export-formats\class-houzez-property-feed-format-rtdf.php:20
filterhouzez_before_submit_propertyincludes\export-formats\class-houzez-property-feed-format-rtdf.php:22
filterhouzez_before_update_propertyincludes\export-formats\class-houzez-property-feed-format-rtdf.php:23
actionhouzez_after_property_submitincludes\export-formats\class-houzez-property-feed-format-rtdf.php:25
actionhouzez_after_property_updateincludes\export-formats\class-houzez-property-feed-format-rtdf.php:26
actionhouzez_property_feed_push_allincludes\export-formats\class-houzez-property-feed-format-rtdf.php:28
actionsave_postincludes\export-formats\class-houzez-property-feed-format-zoopla.php:20
filterhouzez_before_submit_propertyincludes\export-formats\class-houzez-property-feed-format-zoopla.php:22
filterhouzez_before_update_propertyincludes\export-formats\class-houzez-property-feed-format-zoopla.php:23
actionhouzez_after_property_submitincludes\export-formats\class-houzez-property-feed-format-zoopla.php:25
actionhouzez_after_property_updateincludes\export-formats\class-houzez-property-feed-format-zoopla.php:26
actionhouzezpropertyfeedreconcilecronhookincludes\export-formats\class-houzez-property-feed-format-zoopla.php:28
actionhouzez_property_feed_push_allincludes\export-formats\class-houzez-property-feed-format-zoopla.php:30
filterhouzez_property_feed_remove_old_propertiesincludes\import-formats\class-houzez-property-feed-format-mls-grid.php:25
filterhouzez_property_feed_remove_old_propertiesincludes\import-formats\class-houzez-property-feed-format-propctrl.php:31
actionhouzez_property_feed_property_removedincludes\import-formats\class-houzez-property-feed-format-propctrl.php:33

Scheduled Events 6

houzezpropertyfeedcronhook
houzezpropertyfeedreconcilecronhook
houzezpropertyfeeddeleteoldattachments
houzezpropertyfeedcronhook
houzezpropertyfeedreconcilecronhook
houzezpropertyfeeddeleteoldattachments
Maintenance & Trust

Houzez Property Feed Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version
Downloads49K

Community Trust

Rating94/100
Number of ratings11
Active installs1K
Alternatives

Houzez Property Feed Alternatives

Realtivo-Resales Online for Houzez

Realtivo-Resales Online for Houzez

realtivo-resales-online-for-houzez

A
100

Connect the Houzez theme with Resales Online to import live property listings. Easy setup. No coding. Free to use.

20 No CVEs
Property Hive

Property Hive

propertyhive

B
82

Building a property website? Property Hive has everything you need to get started, and so much more.

3K 18 CVEs
Estatik Real Estate Plugin

Estatik Real Estate Plugin

estatik

F
24

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

wpvr

A
89

Create stunning 360 virtual tours to impress visitors and get more clients using WPVR - the easiest virtual tour creator in WordPress.

10K 14 CVEs
Essential Real Estate

Essential Real Estate

essential-real-estate

F
17

Completely plugins Real Estate. Management system which allows you to own and maintain a real estate marketplace, intro website.

8K 3 unpatched
Developer Profile

Houzez Property Feed Developer Profile

Property Hive

8 plugins · 7K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
218 days
View full developer profile
Detection Fingerprints

How We Detect Houzez Property Feed

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/houzez-property-feed/admin/css/houzez-property-feed-admin.css/wp-content/plugins/houzez-property-feed/admin/js/houzez-property-feed-admin.js/wp-content/plugins/houzez-property-feed/includes/css/jquery.fileuploader.css/wp-content/plugins/houzez-property-feed/includes/js/jquery.fileuploader.min.js/wp-content/plugins/houzez-property-feed/includes/js/houzez-property-feed-main.js/wp-content/plugins/houzez-property-feed/includes/js/houzez-property-feed-settings.js/wp-content/plugins/houzez-property-feed/includes/js/houzez-property-feed-import.js
Script Paths
admin/js/houzez-property-feed-admin.jsincludes/js/jquery.fileuploader.min.jsincludes/js/houzez-property-feed-main.jsincludes/js/houzez-property-feed-settings.jsincludes/js/houzez-property-feed-import.js
Version Parameters
houzez-property-feed/admin/css/houzez-property-feed-admin.css?ver=houzez-property-feed/admin/js/houzez-property-feed-admin.js?ver=houzez-property-feed/includes/css/jquery.fileuploader.css?ver=houzez-property-feed/includes/js/jquery.fileuploader.min.js?ver=houzez-property-feed/includes/js/houzez-property-feed-main.js?ver=houzez-property-feed/includes/js/houzez-property-feed-settings.js?ver=houzez-property-feed/includes/js/houzez-property-feed-import.js?ver=

HTML / DOM Fingerprints

CSS Classes
hpf-upload-file-wraphpf-fileuploaderhpf-upload-btnhpf-import-settingshpf-import-wrapperhouzez-property-feed-settings
HTML Comments
<!-- Houzez Property Feed --><!-- HOUZEZ PROPERTY FEED IMPORT SECTION --><!-- HOUZEZ PROPERTY FEED EXPORT SECTION -->
Data Attributes
data-hpf-feed-iddata-hpf-feed-slug
JS Globals
houzez_property_feed_paramshouzez_property_feed_settings_paramshouzez_property_feed_import_params
REST Endpoints
/wp-json/hpf/v1/get-feeds/wp-json/hpf/v1/save-feed/wp-json/hpf/v1/delete-feed/wp-json/hpf/v1/import-feed
FAQ

Frequently Asked Questions about Houzez Property Feed