WP-Safety

Realtyna Organic IDX plugin + WPL Real Estate Security & Risk Analysis

wordpress.org/plugins/real-estate-listing-realtyna-wpl

Your comprehensive solution for creating dynamic and feature-rich real estate websites on WordPress. Designed to cater to the diverse needs of real es …

2K active installs v5.1.0 PHP 7.4+ WP 4.7.0+ Updated Sep 16, 2025
idxmlsreal-estaterealtyreso-web-api
87
A · Safe
CVEs total4
Unpatched0
Last CVEJul 30, 2025
Plugin page Download
Safety Verdict

Is Realtyna Organic IDX plugin + WPL Real Estate Safe to Use in 2026?

Generally Safe

Score 87/100

Realtyna Organic IDX plugin + WPL Real Estate has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 30, 2025Updated 6mo ago
Risk Assessment

The plugin 'real-estate-listing-realtyna-wpl' version 5.1.0 exhibits a mixed security posture. While it demonstrates good practices in its SQL query handling by exclusively using prepared statements, and a significant portion of its output is properly escaped, several concerning areas require attention. The static analysis reveals a substantial attack surface with 4 out of 5 identified entry points lacking proper authentication or permission checks. This is further exacerbated by the presence of 2 taint flows with unsanitized paths, indicating potential for vulnerabilities if these paths are exposed to malicious input. The plugin's vulnerability history is a significant concern, with a total of 4 known CVEs, including 2 critical and 1 high severity. Although there are currently no unpatched vulnerabilities, the historical prevalence of critical issues such as Remote File Inclusion, Unrestricted Upload, XSS, and SQL Injection suggests a recurring pattern of severe security flaws. This history, coupled with the identified lack of authorization on REST API routes and unsanitized path flows, points to a plugin that, despite some good coding practices, has a history of being a target for sophisticated attacks.

Key Concerns

  • REST API routes without permission callbacks
  • Unsanitized paths in taint flows
  • 4 known CVEs, including critical and high
  • No nonce checks on entry points
  • Low percentage of properly escaped output
Vulnerabilities
4

Realtyna Organic IDX plugin + WPL Real Estate Security Vulnerabilities

CVEs by Year

3 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
2
High
1
Medium
1

4 total CVEs

CVE-2025-54052high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Realtyna Organic IDX plugin <= 5.0.0 - Unauthenticated Local File Inclusion

Jul 30, 2025 Patched in 5.0.1 (6d)
CVE-2024-38736critical · 9.1Unrestricted Upload of File with Dangerous Type

Realtyna Organic IDX plugin <= 4.14.13 - Authenticated (Admin+) Arbitrary File Upload

Jul 11, 2024 Patched in 4.14.14 (133d)
CVE-2024-33924medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Realtyna Organic IDX plugin <= 4.14.4 - Reflected Cross-Site Scripting

Apr 29, 2024 Patched in 4.14.8 (19d)
CVE-2024-32128critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Realtyna Organic IDX plugin <= 4.14.4 - Unauthenticated SQL Injection

Apr 12, 2024 Patched in 4.14.8 (36d)
Code Analysis
Analyzed Mar 16, 2026

Realtyna Organic IDX plugin + WPL Real Estate Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
9 prepared
Unescaped Output
21
41 escaped
Nonce Checks
0
Capability Checks
2
File Operations
18
External Requests
4
Bundled Libraries
0

SQL Query Safety

100% prepared9 total queries

Output Escaping

66% escaped62 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
runQuery (extensions.php:394)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Realtyna Organic IDX plugin + WPL Real Estate Attack Surface

Entry Points5
Unprotected4

REST API Routes 4

POST/wp-json/idx_api/v1import/(?P<token>[a-zA-Z0-9-]+)api\init.php:8
POST/wp-json/idx_api/v1update/(?P<token>[a-zA-Z0-9-]+)api\init.php:92
POST/wp-json/idx_api/v1update_json/(?P<token>[a-zA-Z0-9-]+)api\init.php:113
POST/wp-json/idx_api/v1import_json/(?P<token>[a-zA-Z0-9-]+)api\init.php:124

Shortcodes 1

[WPL] extensions.php:258
WordPress Hooks 21
actionrest_api_initapi\init.php:6
actionwp_loadedextensions.php:253
filterrewrite_rules_arrayextensions.php:254
filterquery_varsextensions.php:255
filtermce_external_pluginsextensions.php:346
filtermce_buttonsextensions.php:347
filteravf_skip_enqueue_scripts_backend_gmapsextensions.php:873
actiondivi_extensions_initextensions.php:951
actioninitextensions.php:1029
actionadmin_bar_menuextensions.php:1032
actionwp_headextensions.php:1035
actionadmin_print_scriptsextensions.php:1036
actionwp_enqueue_scriptsextensions.php:1039
actionadmin_enqueue_scriptsextensions.php:1040
actionwidgets_initextensions.php:1043
actionwidgets_initextensions.php:1044
actionlogin_enqueue_scriptsextensions.php:1046
filterwp_titleextensions.php:1049
filterdocument_title_partsextensions.php:1050
filterplugin_row_metaextensions.php:1053
actionadmin_noticesglobal.php:3000

Scheduled Events 1

rlty_check_user_license
Maintenance & Trust

Realtyna Organic IDX plugin + WPL Real Estate Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedSep 16, 2025
PHP min version7.4
Downloads377K

Community Trust

Rating94/100
Number of ratings203
Active installs2K
Alternatives

Realtyna Organic IDX plugin + WPL Real Estate Alternatives

Estatik Real Estate Plugin

Estatik Real Estate Plugin

estatik

F
24

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched
Optima Express IDX

Optima Express IDX

optima-express

A
100

Embed real estate property listings, market reports & MLS data on your WordPress site. Responsive design, great SEO & proven lead capture.

8K 1 CVE
Showcase IDX Real Estate Search & Lead Capture

Showcase IDX Real Estate Search & Lead Capture

showcase-idx

A
100

Add MLS listings to your website and capture more leads, all with one plugin! Showcase IDX is a top-performing real estate search plugin that's S &hellip;

2K No CVEs
Diverse Solutions IDX Real Estate Listings & MLS Search

Diverse Solutions IDX Real Estate Listings & MLS Search

dsidxpress

A
100

Easily add mobile and SEO-friendly MLS listings to your website to attract & engage visitors, plus lead capture tools to turn them into clients.

1K 1 CVE
SimplyRETS Real Estate IDX

SimplyRETS Real Estate IDX

simply-rets

B
77

Show your Real Estate listings on your website, simply! SimplyRETS makes it easy to search and display MLS listings on your WordPress website, and giv &hellip;

300 1 unpatched
Developer Profile

Realtyna Organic IDX plugin + WPL Real Estate Developer Profile

Realtyna

3 plugins · 3K total installs

81
trust score
Avg Security Score
90/100
Avg Patch Time
47 days
View full developer profile
Detection Fingerprints

How We Detect Realtyna Organic IDX plugin + WPL Real Estate

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_settings.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_property.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_custom_fields.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_scheduler.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_favorites.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_functions.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_form.js+8 more
Script Paths
/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_settings.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_property.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_custom_fields.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_scheduler.js/wp-content/plugins/real-estate-listing-realtyna-wpl/libraries/wpl_favorites.js+6 more
Version Parameters
real-estate-listing-realtyna-wpl/libraries/wpl.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_settings.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_property.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_custom_fields.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_scheduler.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_favorites.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_functions.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_form.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_users.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_widgets.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_filters.js?ver=real-estate-listing-realtyna-wpl/libraries/wpl_map.js?ver=real-estate-listing-realtyna-wpl/css/wpl_frontend.css?ver=real-estate-listing-realtyna-wpl/css/wpl_responsive.css?ver=real-estate-listing-realtyna-wpl/css/wpl_shortcodes.css?ver=real-estate-listing-realtyna-wpl/css/wpl_main.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpl-frontendwpl-containerwpl-property-listingwpl-property-detailswpl-search-formwpl-map-canvas
HTML Comments
<!-- no direct access --><!-- WPL textdomain for language --><!-- WPL Execution --><!-- Directory Separator -->+3 more
Data Attributes
data-wpl-property-iddata-wpl-map-latdata-wpl-map-lngdata-wpl-map-zoom
JS Globals
wpl_globalwpl_propertieswpl_settingswpl_favoriteswpl_map_settings
REST Endpoints
/wp-json/wpl/v1/properties/wp-json/wpl/v1/settings/wp-json/wpl/v1/users
Shortcode Output
[wpl_property_listing][wpl_property_details][wpl_search_form][wpl_map]
FAQ

Frequently Asked Questions about Realtyna Organic IDX plugin + WPL Real Estate