WP-Safety

Showcase IDX Real Estate Search & Lead Capture Security & Risk Analysis

wordpress.org/plugins/showcase-idx

Add MLS listings to your website and capture more leads, all with one plugin! Showcase IDX is a top-performing real estate search plugin that's S …

2K active installs v3.3.1 PHP 5.3.0+ WP 4.6.0+ Updated Feb 2, 2026
idxidx-searchlead-capturemlsreal-estate-search
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Showcase IDX Real Estate Search & Lead Capture Safe to Use in 2026?

Generally Safe

Score 100/100

Showcase IDX Real Estate Search & Lead Capture has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The 'showcase-idx' plugin v3.3.1 exhibits a mixed security posture. On the positive side, the static analysis reveals no identified dangerous functions, no direct SQL queries (all use prepared statements), no file operations, and no external HTTP requests were flagged as problematic by the taint analysis. The absence of known CVEs and a clean vulnerability history further suggests a generally well-maintained codebase. However, several areas raise significant concerns. The plugin has a substantial attack surface of 28 shortcodes, and critically, there are no capability checks or nonce checks implemented on any of these entry points. This means any user, regardless of their role or permissions, can potentially trigger functionality within these shortcodes. Furthermore, a shockingly low 2% of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities across a vast majority of its outputs. The plugin also makes 16 external HTTP requests, and without proper validation or sanitization checks on this data, it could be vulnerable to SSRF or data injection attacks.

While the plugin avoids common pitfalls like raw SQL queries or bundled vulnerable libraries, the lack of basic security controls on its extensive shortcode functionality and the pervasive issue of unescaped output are major security weaknesses. The absence of capability checks and nonce validation means that attackers could potentially exploit this plugin to perform actions or inject malicious scripts. The high volume of unescaped output presents a broad attack vector for XSS. The plugin's reliance on external HTTP requests without apparent input sanitization adds another layer of potential risk. Therefore, despite the absence of known vulnerabilities and the use of prepared statements, the lack of fundamental security mechanisms like capability and nonce checks, coupled with widespread output escaping issues, makes this plugin a considerable security risk.

Key Concerns

  • No capability checks on entry points
  • No nonce checks on entry points
  • Very low percentage of output properly escaped
  • Significant attack surface via shortcodes
  • External HTTP requests without apparent sanitization
Vulnerabilities
None known

Showcase IDX Real Estate Search & Lead Capture Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Showcase IDX Real Estate Search & Lead Capture Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
52
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
16
Bundled Libraries
0

Output Escaping

2% escaped53 total outputs
Attack Surface

Showcase IDX Real Estate Search & Lead Capture Attack Surface

Entry Points28
Unprotected0

Shortcodes 28

[showcaseidx] 2\config.php:34
[showcaseidx_hotsheet] 2\config.php:35
[showcaseidx_custom] 2\config.php:36
[showcaseidx_widget_login] 2\config.php:37
[showcaseidx_widget_register] 2\config.php:38
[showcaseidx_widget_230] 2\config.php:39
[showcaseidx_widget_465] 2\config.php:40
[showcaseidx_widget_700] 2\config.php:41
[showcaseidx_widget_930] 2\config.php:42
[showcaseidx_widget_updated] 2\config.php:43
[showcaseidx_widget_last_updated] 2\config.php:44
[showcaseidx_widget_contact] 2\config.php:45
[showcaseidx_widget_agent] 2\config.php:46
[showcaseidx_widget_office] 2\config.php:47
[showcaseidx_widget_featured] 2\config.php:48
[showcaseidx_widget_hotsheet] 2\config.php:49
[showcaseidx_widget_omnibox] 2\config.php:50
[showcaseidx_widget_slideshow] 2\config.php:51
[showcaseidx] 3\page.php:169
[showcaseidx_signin] 3\shortcodes.php:3
[showcaseidx_calculator] 3\shortcodes.php:4
[showcaseidx_cma] 3\shortcodes.php:5
[showcaseidx_contact] 3\shortcodes.php:6
[showcaseidx_hotsheet] 3\shortcodes.php:7
[showcaseidx_search] 3\shortcodes.php:10
[showcaseidx_map] 3\shortcodes.php:18
[showcaseidx_nav] 3\shortcodes.php:22
[showcaseidx_search_results_count] 3\shortcodes.php:24
WordPress Hooks 56
actionadmin_menu2\admin.php:7
actionadmin_init2\admin.php:8
actioncurrent_screen2\admin.php:60
filterwidget_text2\config.php:31
actioninit2\config.php:54
actiontemplate_redirect2\config.php:55
actionadmin_menu2\config.php:58
actionadmin_init2\config.php:59
actionplugins_loaded2\showcaseidx.php:11
actionplugins_loaded2\showcaseidx.php:12
actionshowcaseidx_cachebust2\showcaseidx.php:18
actionwp_enqueue_scripts2\showcaseidx.php:40
filterwpseo_canonical2\showcaseidx.php:214
filterwp_title2\showcaseidx.php:215
filterwpseo_title2\showcaseidx.php:216
actionwp_head2\showcaseidx.php:217
filterwpseo_metadesc2\showcaseidx.php:218
filterwpseo_metakey2\showcaseidx.php:219
filterwpseo_prev_rel_link2\showcaseidx.php:220
filterwpseo_next_rel_link2\showcaseidx.php:221
actioninit2\showcaseidx.php:276
actionadmin_enqueue_scripts3\admin.php:6
actionadmin_bar_menu3\admin.php:82
actionwp_dashboard_setup3\admin.php:152
actionadmin_init3\admin.php:155
actioncurrent_screen3\admin.php:165
actionadmin_menu3\admin.php:174
actionadmin_notices3\admin.php:190
actionplugins_loaded3\install.php:3
actionshowcaseidx_activation3\install.php:17
actionadmin_notices3\install.php:118
actionwp3\page.php:113
filterposts_pre_query3\page.php:153
filtertemplate_include3\page.php:156
actionwp3\page.php:176
actionwp_enqueue_scripts3\resources.php:6
filterdo_parse_request3\routes.php:3
filterwpseo_canonical3\seo.php:11
filterwp_title3\seo.php:40
filterpre_get_document_title3\seo.php:42
actionwp_head3\seo.php:45
filterjetpack_disable_seo_tools3\seo.php:50
filterwpseo_title3\seo.php:54
filterwpseo_metakey3\seo.php:56
filterwpseo_prev_rel_link3\seo.php:57
filterwpseo_next_rel_link3\seo.php:58
filterwpseo_opengraph_site_name3\seo.php:60
filterwpseo_twitter_metatag_key3\seo.php:62
filterwpseo_twitter_card_type3\seo.php:63
actionwp_footer3\shortcodes.php:39
filterget_post_metadata3\workarounds.php:5
filterthe_content3\workarounds.php:16
filterthe_permalink3\workarounds.php:20
filterpre_get_shortlink3\workarounds.php:21
filterget_edit_post_link3\workarounds.php:24
filteradvanced_post_cache_skip_for_post_type3\workarounds.php:36

Scheduled Events 2

showcaseidx_cachebust
showcaseidx_activation
Maintenance & Trust

Showcase IDX Real Estate Search & Lead Capture Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 2, 2026
PHP min version5.3.0
Downloads92K

Community Trust

Rating76/100
Number of ratings35
Active installs2K
Alternatives

Showcase IDX Real Estate Search & Lead Capture Alternatives

Optima Express IDX

Optima Express IDX

optima-express

A
100

Embed real estate property listings, market reports & MLS data on your WordPress site. Responsive design, great SEO & proven lead capture.

8K 1 CVE
VistaWP – IDX Feeds for Page Builders

VistaWP – IDX Feeds for Page Builders

vistawp

A
100

VistaWP is an IDX plugin that displays MLS data on any page using simple shortcodes, compatible with any page builder

10 No CVEs
Estatik Real Estate Plugin

Estatik Real Estate Plugin

estatik

F
24

You will love its clean design, simple use, and colorful themes. WordPress real estate plugin Estatik is a worthy choice for single agents and portals

10K 2 unpatched
IMPress for IDX Broker

IMPress for IDX Broker

idx-broker-platinum

A
96

IMPress for IDX Broker is now the IMPress family of plugins all-in-one. IMPress Listings and IMPress Agents have been consolidated with this already p …

7K 5 CVEs
Realtyna Organic IDX plugin + WPL Real Estate

Realtyna Organic IDX plugin + WPL Real Estate

real-estate-listing-realtyna-wpl

A
87

Your comprehensive solution for creating dynamic and feature-rich real estate websites on WordPress. Designed to cater to the diverse needs of real es …

2K 4 CVEs
Developer Profile

Showcase IDX Real Estate Search & Lead Capture Developer Profile

showcaseidx

1 plugin · 2K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Showcase IDX Real Estate Search & Lead Capture

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/showcase-idx/css/screen.css/wp-content/plugins/showcase-idx/js/mydx2.js
Script Paths
/wp-content/plugins/showcase-idx/js/mydx2.js
Version Parameters
showcase-idx/css/screen.css?ver=showcase-idx/js/mydx2.js?ver=

HTML / DOM Fingerprints

CSS Classes
showcase-idx-widget
HTML Comments
<!-- Plugin by Showcase IDX --><!-- Showcase IDX Generated Content --><!-- Begin Showcase IDX Plugin --><!-- End Showcase IDX Plugin -->+2 more
Data Attributes
data-showcase-idx-keydata-showcase-idx-sourcedata-showcase-idx-listing-iddata-showcase-idx-app-urldata-showcase-idx-seo-titledata-showcase-idx-api-key+1 more
JS Globals
window.showcaseIdxSettingsvar showcaseIdxAPIKeyvar showcaseIdxBaseURLvar showcaseIdxProperties
REST Endpoints
/wp-json/showcase-idx/v1/settings/wp-json/showcase-idx/v1/properties
Shortcode Output
<div class="showcase-idx-search-widget"><div class="showcase-idx-map-widget"><div class="showcase-idx-listing-widget"><div id="showcase-idx-app">
FAQ

Frequently Asked Questions about Showcase IDX Real Estate Search & Lead Capture