WP-Safety

immonex Kickstart Team Security & Risk Analysis

wordpress.org/plugins/immonex-kickstart-team

immonex Kickstart add-on for handling, linking and embedding OpenImmo-XML-based real estate agent/agency information and contact forms

200 active installs v1.8.3 PHP 7.4+ WP 5.5+ Updated Feb 11, 2026
agentimmobilienimmobilienmakleropenimmorealestate
98
A · Safe
CVEs total1
Unpatched0
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is immonex Kickstart Team Safe to Use in 2026?

Generally Safe

Score 98/100

immonex Kickstart Team has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Sep 22, 2025Updated 1mo ago
Risk Assessment

The "immonex-kickstart-team" plugin version 1.8.3 demonstrates several positive security practices, including the exclusive use of prepared statements for SQL queries and the presence of capability checks and nonce checks. The static analysis shows a relatively small attack surface with no unprotected entry points (AJAX handlers, REST API routes). Taint analysis found no flows, indicating no obvious paths for untrusted data to reach sensitive operations. However, a significant concern arises from the vulnerability history, which lists a past high-severity "PHP Remote File Inclusion" (RFI) vulnerability. While currently unpatched CVEs are reported as zero, the nature of RFI vulnerabilities suggests a potential for severe compromise if similar weaknesses are reintroduced. The code also shows a low percentage of properly escaped output, which could lead to Cross-Site Scripting (XSS) vulnerabilities, especially if untrusted data is handled within these outputs. The presence of file operations without clear sanitization could also be a vector if not handled carefully.

In conclusion, while the plugin has strengths in its SQL handling and entry point protection, the historical RFI vulnerability and the high proportion of unescaped output are significant weaknesses that warrant careful consideration. The absence of RFI in the current analysis is positive, but the historical pattern combined with potential XSS vectors creates a moderate risk profile. Continued vigilance and thorough code reviews for any updates are recommended.

Key Concerns

  • High severity RFI vulnerability in history
  • Low percentage of properly escaped output
  • Uncertainty regarding file operation sanitization
Vulnerabilities
1

immonex Kickstart Team Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2025-57925high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

immonex Kickstart Team <= 1.6.9 - Authenticated (Contributor+) Local File Inclusion

Sep 22, 2025 Patched in 1.7.0 (5d)
Code Analysis
Analyzed Mar 16, 2026

immonex Kickstart Team Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
171
60 escaped
Nonce Checks
1
Capability Checks
2
File Operations
8
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

26% escaped231 total outputs
Attack Surface

immonex Kickstart Team Attack Surface

Entry Points3
Unprotected0

Shortcodes 3

[inx-team-agency] includes\class-agency-hooks.php:82
[inx-team-agent] includes\class-agent-hooks.php:95
[inx-team-contact-form-confirmation-message] includes\class-contact-form-hooks.php:65
WordPress Hooks 61
actioncmb2_admin_initincludes\class-agency-backend-form.php:56
actionsave_postincludes\class-agency-hooks.php:47
actionsave_postincludes\class-agency-hooks.php:48
actiondeleted_postincludes\class-agency-hooks.php:49
actiontemplate_redirectincludes\class-agency-hooks.php:50
filtertemplate_includeincludes\class-agency-hooks.php:52
filterinx_special_query_varsincludes\class-agency-hooks.php:58
filterinx_search_tax_and_meta_queriesincludes\class-agency-hooks.php:59
filterinx_agency_has_single_viewincludes\class-agency-hooks.php:60
filterinx_team_get_agency_template_dataincludes\class-agency-hooks.php:66
filterinx_team_get_agency_checksumincludes\class-agency-hooks.php:69
filterinx_team_get_agency_elementsincludes\class-agency-hooks.php:70
filterinx_team_get_agency_legal_noticeincludes\class-agency-hooks.php:71
filterinx_team_get_agency_countincludes\class-agency-hooks.php:72
filterinx_team_create_agencyincludes\class-agency-hooks.php:75
filterinx_team_update_agencyincludes\class-agency-hooks.php:76
filtersave_postincludes\class-agency-hooks.php:349
filterdocument_title_partsincludes\class-agency-list-hooks.php:49
filterget_the_archive_titleincludes\class-agency-list-hooks.php:50
filterinx_agency_has_archiveincludes\class-agency-list-hooks.php:56
actioncmb2_admin_initincludes\class-agent-backend-form.php:56
actionsave_postincludes\class-agent-hooks.php:54
actionsave_postincludes\class-agent-hooks.php:55
actiondeleted_postincludes\class-agent-hooks.php:56
actiontemplate_redirectincludes\class-agent-hooks.php:57
filtertemplate_includeincludes\class-agent-hooks.php:59
filterimmonex_oi2wp_import_agency_xml_before_importincludes\class-agent-hooks.php:65
filterimmonex_oi2wp_create_agentincludes\class-agent-hooks.php:66
filterimmonex_oi2wp_assign_agentincludes\class-agent-hooks.php:67
filterinx_special_query_varsincludes\class-agent-hooks.php:73
filterinx_search_tax_and_meta_queriesincludes\class-agent-hooks.php:74
filterinx_detail_page_elementsincludes\class-agent-hooks.php:75
filterinx_agent_has_single_viewincludes\class-agent-hooks.php:76
filterinx_team_get_agent_template_dataincludes\class-agent-hooks.php:82
filterinx_team_create_agentincludes\class-agent-hooks.php:85
filterinx_team_update_agentincludes\class-agent-hooks.php:86
filterinx_team_get_agent_elementsincludes\class-agent-hooks.php:89
filtersave_postincludes\class-agent-hooks.php:603
filterdocument_title_partsincludes\class-agent-list-hooks.php:56
filterget_the_archive_titleincludes\class-agent-list-hooks.php:57
filterinx_agent_has_archiveincludes\class-agent-list-hooks.php:63
filtersingle_templateincludes\class-base-cpt-hooks.php:72
filterarchive_templateincludes\class-base-cpt-hooks.php:78
actionpre_get_postsincludes\class-base-cpt-list-hooks.php:92
filtersanitize_option_immonex-kickstart_optionsincludes\class-kickstart-team.php:100
filterimmonex-kickstart_option_tabsincludes\class-kickstart-team.php:286
filterimmonex-kickstart_option_sectionsincludes\class-kickstart-team.php:287
filterimmonex-kickstart_option_fieldsincludes\class-kickstart-team.php:288
actioninx_team_render_paginationincludes\class-pagination.php:50
filterinx_enable_doc_head_bufferingincludes\class-structured-data-hooks.php:63
filterinx_doc_head_contentsincludes\class-structured-data-hooks.php:64
actioninx_team_before_render_agency_list_itemincludes\class-structured-data-hooks.php:70
actioninx_team_before_render_agent_list_itemincludes\class-structured-data-hooks.php:71
filterinx_team_get_schema_dataincludes\class-structured-data-hooks.php:74
filterimmonex-kickstart_option_fieldsincludes\class-wp-bootstrap.php:50
actioninitincludes\class-wp-bootstrap.php:51
actionshow_user_profileincludes\class-wp-bootstrap.php:54
actionedit_user_profileincludes\class-wp-bootstrap.php:55
actionpersonal_options_updateincludes\class-wp-bootstrap.php:57
actionedit_user_profile_updateincludes\class-wp-bootstrap.php:58
actiontgmpa_registertgmpa.php:12
Maintenance & Trust

immonex Kickstart Team Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedFeb 11, 2026
PHP min version7.4
Downloads8K

Community Trust

Rating100/100
Number of ratings2
Active installs200
Alternatives

immonex Kickstart Team Alternatives

immonex Kickstart

immonex Kickstart

immonex-kickstart

A
98

Essential components and add-on framework for embedding and searching/filtering imported OpenImmo-XML-based real estate offers

200 1 CVE
WP Immo Manager

WP Immo Manager

wp-immo-manager

A
92

WP Immo Manager integriert Immobilien aus ihrer Makler-Software in Wordpress. OpenImmo Import ihrer Immobilien aus einer Immo-Verwaltungssoftware.

100 No CVEs
Neptune Real Estate

Neptune Real Estate

neptune-real-estate

A
85

Free real estate plugin for WordPress that lets you create, manage and list properties

50 No CVEs
Grundly – Immobilienbewertung und Wertermittlung für Makler

Grundly – Immobilienbewertung und Wertermittlung für Makler

grundly-immobilienbewertung-wertermittlung-fuer-makler

A
100

Property valuation lead generator for real estate agents. Add the Grundly widget with shortcode and collect homeowner leads in minutes.

0 No CVEs
ActiveCampaign – The autonomous marketing platform

ActiveCampaign – The autonomous marketing platform

activecampaign-subscription-forms

A
97

Add ActiveCampaign contact forms and live chat to any post, page, or sidebar. Also enable ActiveCampaign site tracking for your WordPress blog.

40K 4 CVEs
Developer Profile

immonex Kickstart Team Developer Profile

immonex

2 plugins · 400 total installs

99
trust score
Avg Security Score
98/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect immonex Kickstart Team

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/immonex-kickstart-team/dist/css/admin.css/wp-content/plugins/immonex-kickstart-team/dist/css/frontend.css/wp-content/plugins/immonex-kickstart-team/dist/js/backend.js/wp-content/plugins/immonex-kickstart-team/dist/js/frontend.js
Version Parameters
immonex-kickstart-team/dist/css/admin.css?ver=immonex-kickstart-team/dist/css/frontend.css?ver=immonex-kickstart-team/dist/js/backend.js?ver=immonex-kickstart-team/dist/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
immonex-kickstart-team
HTML Comments
<!-- immonex Kickstart Team --><!-- immonex-kickstart-team-plugin -->
Data Attributes
data-immonex-kickstart-team
JS Globals
immonexKickstartTeamimmonex_kickstart_team_i18n
REST Endpoints
/wp-json/immonex-kickstart-team/
Shortcode Output
[inx-team-agency
FAQ

Frequently Asked Questions about immonex Kickstart Team