Does Rover IDX have any unpatched vulnerabilities?

No. All known vulnerabilities in Rover IDX have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Rover IDX compatible with WordPress 6.9.4?

According to WordPress.org data, Rover IDX 4.0.0.2805 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Rover IDX updated?

Rover IDX was last updated on Mar 4, 2026. Frequent updates are generally a positive security signal.

What is Rover IDX's security score?

Rover IDX has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Rover IDX Security & Risk Analysis

wordpress.org/plugins/rover-idx

Rover IDX displays searchable, mobile-friendly MLS listings on your site, using customizable layouts.

200 active installs v4.0.0.2805 PHP + WP 6.5+ Updated Mar 4, 2026

idxmlsmultiple-listing-serviceretswebapi

A · Safe

CVEs total2

Unpatched0

Last CVEOct 21, 2024

Plugin page Download

Safety Verdict

Is Rover IDX Safe to Use in 2026?

Generally Safe

Score 98/100

Rover IDX has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 21, 2024Updated 1mo ago

Risk Assessment

The "rover-idx" v4.0.0.2806 plugin exhibits a mixed security posture. While it demonstrates good practices by implementing nonce and capability checks on a significant portion of its AJAX handlers and a complete absence of unprotected entry points, concerns arise from its output escaping and taint analysis results. The fact that only 34% of outputs are properly escaped indicates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data or data generated by the plugin might not be adequately neutralized before being displayed to users.

The taint analysis revealing two high-severity flows with unsanitized paths is a significant red flag. These flows likely represent points where untrusted input can lead to unintended code execution or data manipulation, even if no explicit SQL injection is detected in this specific analysis. The plugin's vulnerability history, with two known CVEs including a high-severity one related to Authentication Bypass and Missing Authorization, further supports these concerns. The recurrence of these vulnerability types suggests a potential pattern of inadequate input validation and authorization checks in past development cycles, which may not be fully remediated in this version.

In conclusion, while the plugin has a structured approach to handling entry points and security checks, the low percentage of properly escaped output and the presence of high-severity taint flows are critical weaknesses. The past vulnerability history reinforces the need for diligent auditing of input handling and authorization mechanisms. Developers should prioritize fixing the identified taint flows and significantly improve output escaping practices to mitigate XSS risks.

Key Concerns

High severity taint flows with unsanitized paths
Low percentage of properly escaped output
Historical high severity vulnerability (Auth Bypass/Missing Auth)
SQL queries not using prepared statements

Vulnerabilities

Rover IDX Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-10002high · 8.8Authentication Bypass Using an Alternate Path or Channel

Rover IDX <= 3.0.0.2905 - Authenticated (Subscriber+) Authentication Bypass to Administrator

Oct 21, 2024 Patched in 3.0.0.2906 (1d)

CVE-2024-10003medium · 6.3Missing Authorization

Rover IDX <= 3.0.0.2903 - Authenticated (Subscriber+) Missing Authorization via Multiple Functions

Oct 21, 2024 Patched in 3.0.0.2905 (1d)

Code Analysis

Analyzed Mar 16, 2026

Rover IDX Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

314

161 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared24 total queries

Output Escaping

34% escaped475 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

rover_idx_save_slug_excludes_callback (admin\rover-admin-callbacks.php:111)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Rover IDX Attack Surface

Entry Points34

Unprotected0

AJAX Handlers 27

authwp_ajax_rover_idx_save_setupadmin\rover-admin-callbacks.php:12

authwp_ajax_rover_idx_save_slug_excludesadmin\rover-admin-callbacks.php:13

authwp_ajax_rover_idx_save_style_settingsadmin\rover-admin-callbacks.php:14

authwp_ajax_rover_idx_resetadmin\rover-admin-callbacks.php:15

authwp_ajax_rover_idx_quick_start_createadmin\rover-admin-callbacks.php:16

authwp_ajax_rover_idx_quick_start_infoadmin\rover-admin-callbacks.php:17

authwp_ajax_rover_idx_quick_start_resetadmin\rover-admin-callbacks.php:18

authwp_ajax_rover_idx_refresh_js_veradmin\rover-admin-callbacks.php:20

authwp_ajax_rover_idx_show_settingsadmin\rover-admin-callbacks.php:21

authwp_ajax_rover_idx_themeadmin\rover-admin-callbacks.php:24

authwp_ajax_rover_idx_fetch_theme_settingsadmin\rover-admin-callbacks.php:25

authwp_ajax_rover_idx_menu_addadmin\rover-admin-callbacks.php:26

authwp_ajax_rover_idx_menu_removeadmin\rover-admin-callbacks.php:27

authwp_ajax_rover_idx_overwrite_theme_settingsadmin\rover-admin-callbacks.php:28

authwp_ajax_rover_idx_seoadmin\rover-admin-callbacks.php:32

authwp_ajax_rover_idx_do_sitemapadmin\rover-admin-callbacks.php:33

authwp_ajax_rover_idx_sitemap_historyadmin\rover-admin-callbacks.php:34

authwp_ajax_rover_idx_create_city_dynamic_definitionsadmin\rover-admin-callbacks.php:35

authwp_ajax_rover_idx_create_subdivision_dynamic_definitionsadmin\rover-admin-callbacks.php:36

authwp_ajax_rover_idx_socialadmin\rover-admin-callbacks.php:39

authwp_ajax_rover_idx_refresh_socialadmin\rover-admin-callbacks.php:40

authwp_ajax_rover_idx_block_refreshadmin\rover-admin-init.php:53

authwp_ajax_rover_dismiss_hosting_noticeadmin\rover-admin-init.php:71

authwp_ajax_rover_idx_migrate_dsadmin\rover-panel-migrate-ds.php:6

authwp_ajax_rover_idx_dismiss_dsadmin\rover-panel-migrate-ds.php:7

authwp_ajax_idx_site_postsrover-init.php:145

noprivwp_ajax_idx_site_postsrover-init.php:146

Shortcodes 7

[rover_idx_site_search] rover-shortcodes.php:61

[rover_idx_links] rover-shortcodes.php:62

[sr-listings] rover-shortcodes.php:65

[sr-list] rover-shortcodes.php:66

[idx-listings] rover-shortcodes.php:67

[idx-quick-search] rover-shortcodes.php:68

[rover_idx_widget] rover-shortcodes.php:70

WordPress Hooks 108

actionadmin_menuadmin\rover-admin-init.php:35

actionadmin_enqueue_scriptsadmin\rover-admin-init.php:36

filterblock_categoriesadmin\rover-admin-init.php:41

filterblock_categories_alladmin\rover-admin-init.php:43

actionupdate_option_permalink_structureadmin\rover-admin-init.php:45

filterplugin_action_linksadmin\rover-admin-init.php:47

actionwp_dashboard_setupadmin\rover-admin-init.php:49

actionwp_dashboard_setupadmin\rover-admin-init.php:50

actionwp_dashboard_setupadmin\rover-admin-init.php:51

filteradmin_body_classadmin\rover-admin-init.php:55

actionupgrader_process_completeadmin\rover-admin-init.php:62

actionadmin_noticesadmin\rover-admin-init.php:65

actionadmin_noticesadmin\rover-admin-init.php:67

actionadmin_noticesadmin\rover-admin-init.php:68

actionadmin_noticesadmin\rover-admin-init.php:70

actionadmin_noticesadmin\rover-admin-init.php:74

actionblock_categories_allblocks\listings.php:8

actioninitblocks\listings.php:9

actionenqueue_block_editor_assetsblocks\listings.php:10

filterthe_postsrover-content.php:100

actionpre_get_postsrover-content.php:104

actiontemplate_redirectrover-content.php:108

filterdo_redirect_guess_404_permalinkrover-content.php:112

filterthe_postsrover-content.php:161

filterthe_postsrover-content.php:218

filtertemplate_includerover-content.php:349

filterpre_get_shortlinkrover-content.php:353

filterbody_classrover-content.php:503

filterthe_titlerover-content.php:504

filterwp_headrover-content.php:520

filterwp_robotsrover-content.php:522

actionwp_enqueue_scriptsrover-init.php:72

actionafter_setup_themerover-init.php:75

actioninitrover-init.php:76

actionparse_requestrover-init.php:79

filterscript_loader_tagrover-init.php:86

filtervalidate_plugin_requirerover-init.php:88

filterrover_idx_resolverover-init.php:99

actiondo_robotsrover-init.php:103

actionwp_headrover-init.php:104

actionadmin_headrover-init.php:105

actionwp_footerrover-init.php:109

actionadmin_footerrover-init.php:110

actionwp_headrover-init.php:114

actionadmin_headrover-init.php:115

actionroveridx_cron_hourlyrover-init.php:141

actionroveridx_cron_dailyrover-init.php:142

actionrest_api_initrover-init.php:144

filterrocket_preload_exclude_urlsrover-init.php:148

actionplugins_loadedrover-init.php:194

actionplugins_loadedrover-init.php:198

actioninitrover-init.php:206

filterpre_get_block_templatesrover-init.php:281

actionadmin_noticesrover-init.php:382

actionupdate_option_permalink_structurerover-init.php:404

actionadmin_noticesrover-init.php:1410

filterno_texturize_shortcodesrover-shortcodes.php:72

actionhttp_api_curlrover-social-common.php:56

filterhttp_request_host_is_externalrover-social-common.php:64

filterwp_mail_content_typerover-social-common.php:260

filterdo_rocket_generate_caching_filesrover-third-party.php:28

filterwpo_can_cache_pagerover-third-party.php:31

actiontemplate_redirectrover-third-party.php:129

filteraioseo_disablerover-third-party.php:158

filteraioseo_disable_title_rewritesrover-third-party.php:162

filterrank_math/frontend/titlerover-third-party.php:188

filterrank_math/frontend/robotsrover-third-party.php:189

filterrank_math/redirection/redirectrover-third-party.php:196

filterthe_seo_framework_title_from_custom_fieldrover-third-party.php:212

filterthe_seo_framework_title_from_generationrover-third-party.php:213

filterthe_seo_framework_custom_field_descriptionrover-third-party.php:215

filterthe_seo_framework_generated_descriptionrover-third-party.php:216

filterthe_seo_framework_ogtitle_outputrover-third-party.php:219

filterthe_seo_framework_ogdescription_outputrover-third-party.php:220

filterthe_seo_framework_ogurl_outputrover-third-party.php:221

filterthe_seo_framework_rel_canonical_outputrover-third-party.php:222

filterthe_seo_framework_image_detailsrover-third-party.php:224

filterthe_seo_framework_modifiedtime_outputrover-third-party.php:229

actionwp_headrover-third-party.php:237

filterseopress_titles_canonicalrover-third-party.php:242

filterseopress_titles_descrover-third-party.php:243

filterseopress_social_og_titlerover-third-party.php:245

filterseopress_social_og_descrover-third-party.php:246

filterseopress_social_og_thumbrover-third-party.php:247

filterseopress_social_og_urlrover-third-party.php:248

filterslim_seo_canonical_urlrover-third-party.php:254

filtersq_titlerover-third-party.php:263

filtersq_canonicalrover-third-party.php:265

filtersq_descriptionrover-third-party.php:267

filtersq_open_graphrover-third-party.php:269

filtersq_twitter_cardrover-third-party.php:271

filterwpcf7_form_action_urlrover-third-party.php:304

filterjetpack_enable_open_graphrover-third-party.php:310

filterjetpack_photon_skip_for_urlrover-third-party.php:311

filtersharing_showrover-third-party.php:344

actionwidgets_initwidgets\init.php:19

actionwidgets_initwidgets\init.php:20

actionwidgets_initwidgets\init.php:21

actionwidgets_initwidgets\init.php:23

actionwidgets_initwidgets\init.php:24

actionwidgets_initwidgets\init.php:25

actionwidgets_initwidgets\init.php:26

actionwidgets_initwidgets\init.php:28

actionwidgets_initwidgets\init.php:29

actionwidgets_initwidgets\init.php:30

actionwidgets_initwidgets\init.php:31

actionwidgets_initwidgets\init.php:33

actionwidgets_initwidgets\_init.php:47

Scheduled Events 2

roveridx_cron_daily

roveridx_cron_hourly

Maintenance & Trust

Rover IDX Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 4, 2026

PHP min version

Downloads28K

Community Trust

Rating96/100

Number of ratings24

Active installs200

Alternatives

Rover IDX Alternatives

Estatik Real Estate Plugin

estatik

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched

IMPress for IDX Broker

idx-broker-platinum

IMPress for IDX Broker is now the IMPress family of plugins all-in-one. IMPress Listings and IMPress Agents have been consolidated with this already p …

7K 5 CVEs

SimplyRETS Real Estate IDX

simply-rets

Show your Real Estate listings on your website, simply! SimplyRETS makes it easy to search and display MLS listings on your WordPress website, and giv …

300 1 unpatched

Apex IDX

apex-idx

Use the superior IDX solution to easily integrate MLS listings on your real estate website. Lead driving, responsive designs with dominant SEO.

70 No CVEs

Optima Express IDX

optima-express

100

Embed real estate property listings, market reports & MLS data on your WordPress site. Responsive design, great SEO & proven lead capture.

8K 1 CVE

Developer Profile

Rover IDX Developer Profile

stevemullen

1 plugin · 200 total installs

trust score

Avg Security Score

98/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Rover IDX

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ