WP-Safety

Optima Express IDX Security & Risk Analysis

wordpress.org/plugins/optima-express

Embed real estate property listings, market reports & MLS data on your WordPress site. Responsive design, great SEO & proven lead capture.

8K active installs v8.4.0 PHP + WP 4.2.0+ Updated Mar 9, 2026
idx-pluginmls-idx-searchreal-estate-searchreal-estatewordpress-idx
100
A · Safe
CVEs total1
Unpatched0
Last CVEApr 14, 2023
Plugin page Download
Safety Verdict

Is Optima Express IDX Safe to Use in 2026?

Generally Safe

Score 100/100

Optima Express IDX has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 14, 2023Updated 25d ago
Risk Assessment

The Optima Express plugin v8.4.0 presents a concerning security posture primarily due to its large, unprotected attack surface. With 43 AJAX handlers, all of which lack authentication checks, there is a significant risk of unauthorized actions being performed if these handlers are not properly secured at the application or server level. While the plugin demonstrates good practices in SQL query handling with 100% prepared statements and a high percentage of properly escaped output, these strengths are overshadowed by the critical lack of authorization on its primary entry points. The absence of nonce checks on any of its AJAX handlers further exacerbates this risk, making it easier for attackers to forge requests.

The vulnerability history indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability, which was addressed. However, the fact that it had an XSS issue, coupled with the current lack of nonce checks and extensive unprotected AJAX handlers, suggests a potential pattern of overlooking critical security implementation details. The static analysis did not reveal any critical or high-severity taint flows, which is a positive sign, but the unprotected AJAX handlers represent a latent, high-impact risk that is not captured by taint analysis alone.

In conclusion, while Optima Express has made strides in secure coding practices for SQL and output escaping, the plugin's security is severely compromised by its numerous unprotected AJAX endpoints. This design flaw creates a substantial attack surface that requires careful mitigation outside of the plugin itself. The absence of nonce checks on these handlers is a direct invitation for exploitation, and the past XSS vulnerability warrants vigilance regarding potential similar issues.

Key Concerns

  • Large attack surface without auth checks
  • Missing nonce checks on AJAX
  • Medium severity vulnerability history
Vulnerabilities
1

Optima Express IDX Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-30749medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Optima Express + MarketBoost IDX Plugin <= 7.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 14, 2023 Patched in 7.3.1 (284d)
Code Analysis
Analyzed Mar 16, 2026

Optima Express IDX Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
27
921 escaped
Nonce Checks
0
Capability Checks
3
File Operations
0
External Requests
2
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared1 total queries

Output Escaping

97% escaped948 total outputs
Attack Surface
43 unprotected

Optima Express IDX Attack Surface

Entry Points43
Unprotected43

AJAX Handlers 43

noprivwp_ajax_ihf_more_info_requestiHomefinder.php:150
noprivwp_ajax_ihf_schedule_showingiHomefinder.php:151
noprivwp_ajax_ihf_save_propertyiHomefinder.php:152
noprivwp_ajax_ihf_photo_touriHomefinder.php:153
noprivwp_ajax_ihf_save_searchiHomefinder.php:154
noprivwp_ajax_ihf_lead_capture_loginiHomefinder.php:155
noprivwp_ajax_ihf_saved_listing_commentsiHomefinder.php:156
noprivwp_ajax_ihf_saved_listing_ratingiHomefinder.php:157
noprivwp_ajax_ihf_save_listing_subscriber_sessioniHomefinder.php:158
noprivwp_ajax_ihf_save_search_subscriber_sessioniHomefinder.php:159
noprivwp_ajax_ihf_contact_form_requestiHomefinder.php:160
noprivwp_ajax_ihf_send_passwordiHomefinder.php:161
noprivwp_ajax_ihf_email_alert_popupiHomefinder.php:162
noprivwp_ajax_ihf_email_listingiHomefinder.php:163
noprivwp_ajax_ihf_email_board_memberiHomefinder.php:164
noprivwp_ajax_ihf_email_board_officeiHomefinder.php:165
noprivwp_ajax_ihf_email_signupiHomefinder.php:166
noprivwp_ajax_ihf_clear_cacheiHomefinder.php:167
noprivwp_ajax_ihf_advanced_search_multi_selectsiHomefinder.php:168
noprivwp_ajax_ihf_advanced_search_fieldsiHomefinder.php:169
noprivwp_ajax_ihf_area_autocompleteiHomefinder.php:170
authwp_ajax_ihf_more_info_requestiHomefinder.php:172
authwp_ajax_ihf_schedule_showingiHomefinder.php:173
authwp_ajax_ihf_save_propertyiHomefinder.php:174
authwp_ajax_ihf_photo_touriHomefinder.php:175
authwp_ajax_ihf_save_searchiHomefinder.php:176
authwp_ajax_ihf_lead_capture_loginiHomefinder.php:177
authwp_ajax_ihf_saved_listing_commentsiHomefinder.php:178
authwp_ajax_ihf_saved_listing_ratingiHomefinder.php:179
authwp_ajax_ihf_save_listing_subscriber_sessioniHomefinder.php:180
authwp_ajax_ihf_save_search_subscriber_sessioniHomefinder.php:181
authwp_ajax_ihf_contact_form_requestiHomefinder.php:182
authwp_ajax_ihf_send_passwordiHomefinder.php:183
authwp_ajax_ihf_email_alert_popupiHomefinder.php:184
authwp_ajax_ihf_email_listingiHomefinder.php:185
authwp_ajax_ihf_email_board_memberiHomefinder.php:186
authwp_ajax_ihf_email_board_officeiHomefinder.php:187
authwp_ajax_ihf_email_signupiHomefinder.php:188
authwp_ajax_ihf_clear_cacheiHomefinder.php:189
authwp_ajax_ihf_tiny_mce_shortcode_dialogiHomefinder.php:190
authwp_ajax_ihf_advanced_search_multi_selectsiHomefinder.php:191
authwp_ajax_ihf_advanced_search_fieldsiHomefinder.php:192
authwp_ajax_ihf_area_autocompleteiHomefinder.php:193
WordPress Hooks 43
filterupgrader_post_installiHomefinder.php:47
filterjetpack_enable_open_graphiHomefinder.php:50
actioninitiHomefinder.php:57
actionadmin_enqueue_scriptsiHomefinder.php:60
actionadmin_menuiHomefinder.php:61
actionadmin_initiHomefinder.php:62
actionadmin_initiHomefinder.php:63
actionadmin_initiHomefinder.php:66
actionadmin_noticesiHomefinder.php:68
actionsetup_themeiHomefinder.php:75
actionsetup_themeiHomefinder.php:76
actioninitiHomefinder.php:77
actionwp_headiHomefinder.php:78
actionwp_headiHomefinder.php:79
actionwp_footeriHomefinder.php:80
actionwpiHomefinder.php:82
filterposts_pre_queryiHomefinder.php:83
filtertemplate_includeiHomefinder.php:84
filterrender_block_dataiHomefinder.php:85
filterrender_block_core_post_contentiHomefinder.php:86
actionpre_get_postsiHomefinder.php:87
filterthe_contentiHomefinder.php:88
filterthe_excerptiHomefinder.php:89
filterrender_block_core_post_contentiHomefinder.php:90
filterrender_blockiHomefinder.php:91
filtercomments_arrayiHomefinder.php:93
actionsm_buildmapiHomefinder.php:94
filterwpseo_sitemap_page_contentiHomefinder.php:95
actioninitiHomefinder.php:99
actionwidgets_initiHomefinder.php:147
filterwpseo_canonicaliHomefinder.php:199
filterwpseo_opengraph_urliHomefinder.php:200
filteraioseo_canonical_urliHomefinder.php:203
filteraioseo_facebook_tagsiHomefinder.php:204
filteraioseo_twitter_tagsiHomefinder.php:205
filterrank_math/frontend/canonicaliHomefinder.php:208
filterrank_math/opengraph/urliHomefinder.php:209
filterseopress_titles_canonicaliHomefinder.php:212
filterseopress_social_og_urliHomefinder.php:213
actiontemplate_redirectiHomefinder.php:215
actiontemplate_redirectiHomefinder.php:216
filtermce_external_pluginsiHomefinderShortcodeSelectorTinyMce.php:34
filtermce_buttonsiHomefinderShortcodeSelectorTinyMce.php:35
Maintenance & Trust

Optima Express IDX Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version
Downloads379K

Community Trust

Rating64/100
Number of ratings45
Active installs8K
Alternatives

Optima Express IDX Alternatives

VistaWP – IDX Feeds for Page Builders

VistaWP – IDX Feeds for Page Builders

vistawp

A
100

VistaWP is an IDX plugin that displays MLS data on any page using simple shortcodes, compatible with any page builder

10 No CVEs
Showcase IDX Real Estate Search & Lead Capture

Showcase IDX Real Estate Search & Lead Capture

showcase-idx

A
100

Add MLS listings to your website and capture more leads, all with one plugin! Showcase IDX is a top-performing real estate search plugin that's S &hellip;

2K No CVEs
Estatik Real Estate Plugin

Estatik Real Estate Plugin

estatik

F
24

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

wpvr

A
89

Create stunning 360 virtual tours to impress visitors and get more clients using WPVR - the easiest virtual tour creator in WordPress.

10K 14 CVEs
Essential Real Estate

Essential Real Estate

essential-real-estate

F
17

Completely plugins Real Estate. Management system which allows you to own and maintain a real estate marketplace, intro website.

8K 3 unpatched
Developer Profile

Optima Express IDX Developer Profile

iHomefinder, Inc.

1 plugin · 8K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
284 days
View full developer profile
Detection Fingerprints

How We Detect Optima Express IDX

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/optima-express/css/optima-express-base.css/wp-content/plugins/optima-express/css/optima-express.css/wp-content/plugins/optima-express/css/optima-express-custom.css/wp-content/plugins/optima-express/css/optima-express-gallery.css/wp-content/plugins/optima-express/css/optima-express-quick-search.css/wp-content/plugins/optima-express/js/optima-express.js/wp-content/plugins/optima-express/js/optima-express-validation.js/wp-content/plugins/optima-express/js/optima-express-gallery.js+12 more
Script Paths
/wp-content/plugins/optima-express/js/optima-express.js/wp-content/plugins/optima-express/js/optima-express-validation.js/wp-content/plugins/optima-express/js/optima-express-gallery.js/wp-content/plugins/optima-express/js/optima-express-quick-search.js/wp-content/plugins/optima-express/js/optima-express-results.js/wp-content/plugins/optima-express/js/optima-express-search.js+9 more
Version Parameters
optima-express/css/optima-express-base.css?ver=optima-express/css/optima-express.css?ver=optima-express/css/optima-express-custom.css?ver=optima-express/css/optima-express-gallery.css?ver=optima-express/css/optima-express-quick-search.css?ver=optima-express/js/optima-express.js?ver=optima-express/js/optima-express-validation.js?ver=optima-express/js/optima-express-gallery.js?ver=optima-express/js/optima-express-quick-search.js?ver=optima-express/js/optima-express-results.js?ver=optima-express/js/optima-express-search.js?ver=optima-express/js/optima-express-saved-searches.js?ver=optima-express/js/optima-express-contact.js?ver=optima-express/js/optima-express-listing-details.js?ver=optima-express/js/optima-express-map.js?ver=optima-express/js/optima-express-responsive.js?ver=optima-express/js/optima-express-social.js?ver=optima-express/js/optima-express-valuation.js?ver=optima-express/js/optima-express-advanced-search.js?ver=optima-express/js/optima-express-login.js?ver=

HTML / DOM Fingerprints

CSS Classes
optima-express-widgetoptima-express-quick-search-widgetoptima-express-gallery-widgetoptima-express-search-by-address-widgetoptima-express-search-by-listing-id-widgetoptima-express-contact-form-widgetoptima-express-login-widgetoptima-express-valuation-widget+9 more
HTML Comments
<!-- optima-express --><!-- /optima-express --><!-- Quick Search Widget --><!-- Properties Gallery Widget -->+11 more
Data Attributes
data-ihf-property-iddata-ihf-search-iddata-ihf-listing-urldata-ihf-map-styledata-ihf-map-zoomdata-ihf-map-center
JS Globals
optimaExpressoptimaExpressConfigoptimaExpressMap
REST Endpoints
/wp-json/optima-express/v1/search/wp-json/optima-express/v1/listings/wp-json/optima-express/v1/contact-form/wp-json/optima-express/v1/save-search
Shortcode Output
[optima_express_quick_search][optima_express_listing_details][optima_express_search_results][optima_express_map]
FAQ

Frequently Asked Questions about Optima Express IDX