WP-Safety

immonex Kickstart Security & Risk Analysis

wordpress.org/plugins/immonex-kickstart

Essential components and add-on framework for embedding and searching/filtering imported OpenImmo-XML-based real estate offers

300 active installs v1.15.4 PHP 7.4+ WP 5.5+ Updated Apr 3, 2026
immobilienimmomaklerimportopenimmorealestate
96
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 5, 2026
Plugin page Download
Safety Verdict

Is immonex Kickstart Safe to Use in 2026?

Generally Safe

Score 96/100

immonex Kickstart has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Feb 5, 2026Updated 1mo ago
Risk Assessment

The "immonex-kickstart" v1.14.7 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a strong adherence to secure coding practices, with all SQL queries utilizing prepared statements and a good percentage of output being properly escaped. There are no identified file operations or external HTTP requests, and the number of entry points (shortcodes) is manageable and appear to have some level of authorization, as indicated by the presence of capability checks. Taint analysis also shows no critical or high-severity unsanitized flows, which is a very positive sign.

However, the presence of the `unserialize` function is a significant concern. While not directly flagged in taint analysis for this specific version, it's a known vector for remote code execution if not handled with extreme care, especially when dealing with user-supplied data. The absence of nonce checks on the identified entry points (shortcodes) is also a notable weakness, potentially opening the door to Cross-Site Request Forgery (CSRF) attacks if these shortcodes perform actions that can be triggered by unauthorized users.

The plugin's vulnerability history, particularly a past high-severity "PHP Remote File Inclusion" (RFI) vulnerability, is a red flag. Although there are no currently unpatched vulnerabilities, this historical pattern suggests that the plugin has had critical security flaws in the past. Developers should be vigilant about securing all input sources, especially those related to file operations or dynamic content loading, to prevent similar RFI issues from reoccurring. The overall security posture is decent due to strong SQL and output handling, but the potential risks from `unserialize` and the historical RFI vulnerability necessitate caution.

Key Concerns

  • Dangerous function 'unserialize' present
  • No nonce checks on entry points
  • Past high severity RFI vulnerability
Vulnerabilities
2 published

immonex Kickstart Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2026-31918medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

immonex Kickstart <= 1.13.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 5, 2026 Patched in 1.13.4 (70d)
CVE-2025-58637high · 8.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

immonex Kickstart <= 1.11.6 - Authenticated (Contributor+) Local File Inclusion

Sep 3, 2025 Patched in 1.11.13 (9d)
Version History

immonex Kickstart Release Timeline

v1.15.4Current
v1.15.1
v1.15.0
v1.14.7
v1.13.4
v1.12.291 CVE
CVE-2026-31918
v1.11.171 CVE
CVE-2026-31918
Code Analysis
Analyzed Mar 16, 2026

immonex Kickstart Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
10 prepared
Unescaped Output
121
335 escaped
Nonce Checks
0
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$meta = @unserialize( $result['meta_value'] );includes\class-data-access-helper.php:193

SQL Query Safety

100% prepared10 total queries

Output Escaping

73% escaped456 total outputs
Attack Surface

immonex Kickstart Attack Surface

Entry Points8
Unprotected0

Shortcodes 8

[inx-filters-sort] includes\class-property-filters-sort-hooks.php:60
[inx-property-details] includes\class-property-hooks.php:126
[inx-property-detail-element] includes\class-property-hooks.php:127
[inx-property-featured-image] includes\class-property-hooks.php:128
[inx-property-list] includes\class-property-list-hooks.php:71
[inx-pagination] includes\class-property-list-hooks.php:72
[inx-property-map] includes\class-property-map-hooks.php:53
[inx-search-form] includes\class-property-search-hooks.php:60
WordPress Hooks 138
filterinx_get_author_queryincludes\class-api-hooks.php:54
filterinx_merge_queriesincludes\class-api-hooks.php:55
filterinx_list_string_to_arrayincludes\class-api-hooks.php:56
filterinx_get_custom_field_value_by_nameincludes\class-api-hooks.php:62
filterinx_get_query_var_valueincludes\class-api-hooks.php:63
filterinx_get_group_itemsincludes\class-api-hooks.php:64
filterinx_get_flex_itemsincludes\class-api-hooks.php:65
filterinx_is_property_list_pageincludes\class-api-hooks.php:66
filterinx_is_property_details_pageincludes\class-api-hooks.php:67
filterinx_is_property_tax_archiveincludes\class-api-hooks.php:68
filterinx_get_option_valueincludes\class-api-hooks.php:69
filterinx_formatincludes\class-api-hooks.php:71
actionimmonex_oi2wp_property_importedincludes\class-cache.php:65
actionimmonex_oi2wp_import_zip_file_processedincludes\class-cache.php:67
actionwp_headincludes\class-document-head.php:39
actionwp_headincludes\class-document-head.php:40
filterinx_dynamic_css_scopesincludes\class-dynamic-css.php:55
filterinx_dynamic_css_globalincludes\class-dynamic-css.php:56
filterinx_dynamic_css_property_detailsincludes\class-dynamic-css.php:57
filterinx_the_contentincludes\class-format-helper.php:48
filterinx_the_contentincludes\class-format-helper.php:50
filterinx_the_contentincludes\class-format-helper.php:51
filterinx_the_contentincludes\class-format-helper.php:52
filterinx_the_contentincludes\class-format-helper.php:53
filterinx_the_contentincludes\class-format-helper.php:54
filterinx_the_contentincludes\class-format-helper.php:55
filterinx_the_contentincludes\class-format-helper.php:56
filterinx_the_contentincludes\class-format-helper.php:57
filterinx_the_contentincludes\class-format-helper.php:58
filterinx_the_contentincludes\class-format-helper.php:59
filterinx_the_content_noautopincludes\class-format-helper.php:62
filterinx_the_content_noautopincludes\class-format-helper.php:64
filterinx_the_content_noautopincludes\class-format-helper.php:65
filterinx_the_content_noautopincludes\class-format-helper.php:66
filterinx_the_content_noautopincludes\class-format-helper.php:67
filterinx_the_content_noautopincludes\class-format-helper.php:68
filterinx_the_content_noautopincludes\class-format-helper.php:69
filterinx_the_content_noautopincludes\class-format-helper.php:70
filterinx_the_content_noautopincludes\class-format-helper.php:71
filterinx_special_query_varsincludes\class-kickstart.php:215
filterinx_auto_applied_rendering_attsincludes\class-kickstart.php:235
filterinx_apply_auto_rendering_attsincludes\class-kickstart.php:236
filterinxkick_enable_property_cacheincludes\class-kickstart.php:558
filterinxkick_enable_map_marker_cacheincludes\class-kickstart.php:559
filterinx_remove_outdated_plugin_optionsincludes\class-legacy-compat.php:32
filterinx_options_after_activationincludes\class-legacy-compat.php:33
actionimmonex_oi2wp_property_importedincludes\class-openimmo2wp-compat.php:32
filterinx_element_translation_idincludes\class-polylang-compat.php:52
filterinx_element_languageincludes\class-polylang-compat.php:53
filterinx_is_translated_post_typeincludes\class-polylang-compat.php:54
filterpll_the_language_linkincludes\class-polylang-compat.php:56
actioninx_rest_set_query_languageincludes\class-polylang-compat.php:58
filtercmb2_meta_box_urlincludes\class-property-backend-form.php:33
actioncmb2_admin_initincludes\class-property-backend-form.php:36
filtercmb2_override__inx_gallery_images_meta_valueincludes\class-property-backend-form.php:39
filtercmb2_override__inx_floor_plans_meta_valueincludes\class-property-backend-form.php:40
filtercmb2_override__inx_file_attachments_meta_valueincludes\class-property-backend-form.php:41
actionwp_print_footer_scriptsincludes\class-property-component-hooks.php:52
filterpaginate_linksincludes\class-property-component-hooks.php:54
actionpre_get_postsincludes\class-property-filters-sort-hooks.php:46
filterposts_orderbyincludes\class-property-filters-sort-hooks.php:48
actioninx_render_property_filters_sortincludes\class-property-filters-sort-hooks.php:54
actionsend_headersincludes\class-property-hooks.php:63
filtertemplate_includeincludes\class-property-hooks.php:67
filtersingle_templateincludes\class-property-hooks.php:70
filterarchive_templateincludes\class-property-hooks.php:71
filterpre_get_document_titleincludes\class-property-hooks.php:72
filterdocument_title_partsincludes\class-property-hooks.php:73
filterthe_titleincludes\class-property-hooks.php:74
filterget_post_metadataincludes\class-property-hooks.php:75
filterpost_thumbnail_idincludes\class-property-hooks.php:76
filterget_canonical_urlincludes\class-property-hooks.php:77
filterpre_get_shortlinkincludes\class-property-hooks.php:78
filterbody_classincludes\class-property-hooks.php:79
filtershortcode_atts_galleryincludes\class-property-hooks.php:80
filterrequestincludes\class-property-hooks.php:91
actionimmonex_oi2wp_import_zip_file_processedincludes\class-property-hooks.php:98
actioninx_render_property_contentsincludes\class-property-hooks.php:104
filterinx_get_property_template_dataincludes\class-property-hooks.php:106
filterinx_get_property_imagesincludes\class-property-hooks.php:107
filterinx_get_property_filesincludes\class-property-hooks.php:108
filterinx_get_property_linksincludes\class-property-hooks.php:109
filterinx_get_property_detail_itemincludes\class-property-hooks.php:110
filterinx_current_property_post_idincludes\class-property-hooks.php:111
filterinx_property_template_data_detailsincludes\class-property-hooks.php:112
filterinx_property_detail_element_outputincludes\class-property-hooks.php:113
filterinx_has_detail_viewincludes\class-property-hooks.php:114
filterelementor/theme/need_override_locationincludes\class-property-hooks.php:120
filterget_post_metadataincludes\class-property-hooks.php:326
filterget_the_archive_titleincludes\class-property-list-hooks.php:44
filterbody_classincludes\class-property-list-hooks.php:45
filterrequestincludes\class-property-list-hooks.php:48
actioninx_render_property_listincludes\class-property-list-hooks.php:55
actioninx_render_paginationincludes\class-property-list-hooks.php:56
filterinx_get_propertiesincludes\class-property-list-hooks.php:58
filterinx_add_special_vars_from_post_metaincludes\class-property-list-hooks.php:59
filterelementor/theme/need_override_locationincludes\class-property-list-hooks.php:65
actioninx_render_property_mapincludes\class-property-map-hooks.php:44
filterinx_get_property_map_markersincludes\class-property-map-hooks.php:47
actionpre_get_postsincludes\class-property-search-hooks.php:44
actioninx_render_property_search_formincludes\class-property-search-hooks.php:50
actioninx_render_property_search_form_elementincludes\class-property-search-hooks.php:51
filterinx_get_search_form_elementsincludes\class-property-search-hooks.php:54
filterinx_required_property_custom_field_defaultsincludes\class-property-search.php:60
filterinx_search_form_elementsincludes\class-property-search.php:137
actionrest_api_initincludes\class-rest-api.php:45
filterinx_enable_doc_head_bufferingincludes\class-sharing-generic.php:26
filterinx_doc_head_contentsincludes\class-sharing-generic.php:27
filterinx_enable_doc_head_bufferingincludes\class-sharing-open-graph.php:38
filterinx_doc_head_contentsincludes\class-sharing-open-graph.php:39
filterinx_enable_doc_head_bufferingincludes\class-sharing-x.php:32
filterinx_doc_head_contentsincludes\class-sharing-x.php:33
filterwp_kses_allowed_htmlincludes\class-structured-data-hooks.php:56
filterinx_enable_doc_head_bufferingincludes\class-structured-data-hooks.php:62
filterinx_doc_head_contentsincludes\class-structured-data-hooks.php:63
actioninx_before_render_property_list_itemincludes\class-structured-data-hooks.php:69
actioninx_after_render_property_listincludes\class-structured-data-hooks.php:70
filterinx_get_property_schema_dataincludes\class-structured-data-hooks.php:73
filterinx_user_consent_contentsincludes\class-user-consent.php:48
filterinx_get_user_consent_contentincludes\class-user-consent.php:49
actionadmin_menuincludes\class-wp-bootstrap.php:58
actioninitincludes\class-wp-bootstrap.php:59
actioninitincludes\class-wp-bootstrap.php:60
actioninitincludes\class-wp-bootstrap.php:61
actionwidgets_initincludes\class-wp-bootstrap.php:62
filterrequestincludes\class-wp-bootstrap.php:82
filterparent_fileincludes\class-wp-bootstrap.php:83
filterbody_classincludes\class-wp-bootstrap.php:84
filterinx_get_post_typesincludes\class-wp-bootstrap.php:86
filterinx_get_taxonomiesincludes\class-wp-bootstrap.php:87
filterinx_element_translation_idincludes\class-wpml-compat.php:52
filterinx_element_languageincludes\class-wpml-compat.php:53
filterinx_translated_slugincludes\class-wpml-compat.php:54
filterinx_is_translated_post_typeincludes\class-wpml-compat.php:55
filterinx_page_list_all_languagesincludes\class-wpml-compat.php:56
filtericl_ls_languagesincludes\class-wpml-compat.php:58
actioninx-rest-set-query-languageincludes\class-wpml-compat.php:60
actiontgmpa_registertgmpa.php:12
Maintenance & Trust

immonex Kickstart Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 3, 2026
PHP min version7.4
Downloads18K

Community Trust

Rating100/100
Number of ratings5
Active installs300
Alternatives

immonex Kickstart Alternatives

immonex Kickstart Team

immonex Kickstart Team

immonex-kickstart-team

A
98

immonex Kickstart add-on for handling, linking and embedding OpenImmo-XML-based real estate agent/agency information and contact forms

200 1 CVE
WP Immo Manager

WP Immo Manager

wp-immo-manager

A
92

WP Immo Manager integriert Immobilien aus ihrer Makler-Software in Wordpress. OpenImmo Import ihrer Immobilien aus einer Immo-Verwaltungssoftware.

100 No CVEs
immonex Kickstart for Elementor

immonex Kickstart for Elementor

immonex-kickstart-for-elementor

A
100

35+ widgets and dynamic tags for creating professional real estate websites with immonex Kickstart and Elementor

0 No CVEs
All-in-One WP Migration and Backup

All-in-One WP Migration and Backup

all-in-one-wp-migration

A
90

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs
WordPress Importer

WordPress Importer

wordpress-importer

A
98

Import posts, pages, comments, custom fields, categories, tags and more from a WordPress export file.

2.0M 1 CVE
Developer Profile

immonex Kickstart Developer Profile

immonex

3 plugins · 500 total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
28 days
View full developer profile
Detection Fingerprints

How We Detect immonex Kickstart

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/immonex-kickstart/css/admin/meta.css/wp-content/plugins/immonex-kickstart/css/admin/styles.css/wp-content/plugins/immonex-kickstart/css/frontend/gallery-slider.css/wp-content/plugins/immonex-kickstart/css/frontend/immonex-kickstart.css/wp-content/plugins/immonex-kickstart/css/frontend/map-styles.css/wp-content/plugins/immonex-kickstart/css/frontend/property-list.css/wp-content/plugins/immonex-kickstart/css/frontend/property-search.css/wp-content/plugins/immonex-kickstart/css/frontend/property-view.css+15 more
Generator Patterns
immonex Kickstart
Script Paths
/wp-content/plugins/immonex-kickstart/js/admin/editor-extensions.js/wp-content/plugins/immonex-kickstart/js/admin/meta.js/wp-content/plugins/immonex-kickstart/js/admin/settings.js/wp-content/plugins/immonex-kickstart/js/frontend/gallery-slider.js/wp-content/plugins/immonex-kickstart/js/frontend/inline-styles.js/wp-content/plugins/immonex-kickstart/js/frontend/map-init.js+7 more
Version Parameters
immonex-kickstart/css/admin/meta.css?ver=immonex-kickstart/css/admin/styles.css?ver=immonex-kickstart/css/frontend/gallery-slider.css?ver=immonex-kickstart/css/frontend/immonex-kickstart.css?ver=immonex-kickstart/css/frontend/map-styles.css?ver=immonex-kickstart/css/frontend/property-list.css?ver=immonex-kickstart/css/frontend/property-search.css?ver=immonex-kickstart/css/frontend/property-view.css?ver=immonex-kickstart/css/frontend/share-buttons.css?ver=immonex-kickstart/css/frontend/slider.css?ver=immonex-kickstart/js/admin/editor-extensions.js?ver=immonex-kickstart/js/admin/meta.js?ver=immonex-kickstart/js/admin/settings.js?ver=immonex-kickstart/js/frontend/gallery-slider.js?ver=immonex-kickstart/js/frontend/inline-styles.js?ver=immonex-kickstart/js/frontend/map-init.js?ver=immonex-kickstart/js/frontend/property-list.js?ver=immonex-kickstart/js/frontend/property-search.js?ver=immonex-kickstart/js/frontend/property-view.js?ver=immonex-kickstart/js/frontend/share-buttons.js?ver=immonex-kickstart/js/frontend/slider.js?ver=immonex-kickstart/js/frontend/sticky-element.js?ver=immonex-kickstart/js/frontend/virtual-tour-init.js?ver=

HTML / DOM Fingerprints

CSS Classes
inx-gallery-sliderinx-gallery-thumb-containerinx-gallery-thumb-wrapperinx-gallery-main-image-containerinx-gallery-main-image-wrapperinx-gallery-image-loaderinx-gallery-image-nav-buttoninx-gallery-slide-nav-button+20 more
HTML Comments
<!-- Begin: immonex_kickstart: Gallery Slider --><!-- End: immonex_kickstart: Gallery Slider --><!-- Begin: immonex_kickstart: Map --><!-- End: immonex_kickstart: Map -->+12 more
Data Attributes
data-inx-property-iddata-inx-gallery-imagesdata-inx-gallery-settingsdata-inx-map-latdata-inx-map-lngdata-inx-map-zoom+3 more
JS Globals
window.inxGallerySliderwindow.inxMapInitwindow.inxPropertySearchwindow.inxShareButtonswindow.inxSlider
Shortcode Output
[immonex_kickstart_gallery][immonex_kickstart_map][immonex_kickstart_property_list][immonex_kickstart_property_search]
FAQ

Frequently Asked Questions about immonex Kickstart