WP-Safety

WP Immo Manager Security & Risk Analysis

wordpress.org/plugins/wp-immo-manager

WP Immo Manager integriert Immobilien aus ihrer Makler-Software in Wordpress. OpenImmo Import ihrer Immobilien aus einer Immo-Verwaltungssoftware.

100 active installs v2.3.4 PHP + WP 5.0+ Updated Jul 4, 2024
immobilienimmobilien-verwaltungimmobilienimportopenimmo-importopenimmo-xml
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Immo Manager Safe to Use in 2026?

Generally Safe

Score 92/100

WP Immo Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The wp-immo-manager plugin version 2.3.4 exhibits a mixed security posture. While it demonstrates strengths in its handling of SQL queries with a 100% prepared statement usage and a lack of recorded vulnerability history, several areas raise concerns. The presence of 50 dangerous function calls, specifically 'unserialize', without clear context on their sanitization, represents a significant potential risk. Furthermore, the static analysis reveals two AJAX handlers that lack authentication checks, creating a direct attack vector for unauthenticated users.

The low percentage of properly escaped output (17%) is another critical weakness, suggesting a high probability of cross-site scripting (XSS) vulnerabilities. The taint analysis showing zero flows is a positive indicator, but it doesn't negate the risks identified by the static analysis. The plugin's history of zero CVEs is encouraging and might indicate diligent development or recent discovery, but it should not be relied upon as a sole security guarantee.

In conclusion, while the plugin benefits from secure SQL practices and a clean vulnerability track record, the unauthenticated AJAX endpoints and widespread potential for XSS due to poor output escaping are serious concerns that require immediate attention. The usage of unserialize also presents a potential avenue for attack if not handled with extreme care.

Key Concerns

  • Unauthenticated AJAX handlers
  • High percentage of unescaped output
  • Presence of dangerous function: unserialize
  • Bundled outdated jQuery library
Vulnerabilities
None known

WP Immo Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Immo Manager Code Analysis

Dangerous Functions
50
Raw SQL Queries
0
6 prepared
Unescaped Output
938
191 escaped
Nonce Checks
1
Capability Checks
3
File Operations
19
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$objektkategorie_array = unserialize( $meta[ 'objektkategorie' ][ 0 ] );single-wpi_immobilie.php:29
unserialize$geodaten = unserialize( $meta[ 'geodaten' ][ 0 ] );single-wpi_immobilie.php:30
unserialize$kontaktperson = unserialize( $meta[ 'kontaktperson' ][ 0 ] );single-wpi_immobilie.php:31
unserialize$preise = unserialize( $meta[ 'preise' ][ 0 ] );single-wpi_immobilie.php:32
unserialize$flaechen = unserialize( $meta[ 'flaechen' ][ 0 ] );single-wpi_immobilie.php:33
unserialize$ausstattung = unserialize( $meta[ 'ausstattung' ][ 0 ] );single-wpi_immobilie.php:34
unserialize$zustand_angaben = unserialize( $meta[ 'zustand_angaben' ][ 0 ] );single-wpi_immobilie.php:35
unserialize$anhaenge = unserialize( $meta[ 'anhaenge' ][ 0 ] );single-wpi_immobilie.php:36
unserialize$freitexte = unserialize( $meta[ 'freitexte' ][ 0 ] );single-wpi_immobilie.php:37
unserialize$verwaltung_objekt = unserialize( $meta[ 'verwaltung_objekt' ][ 0 ] );single-wpi_immobilie.php:38
unserialize$verwaltung_techn = unserialize( $meta[ 'verwaltung_techn' ][ 0 ] );single-wpi_immobilie.php:39
unserializeif ( @unserialize( $value[ 0 ] ) ):wpi_classes\ImmoMetaClass.php:49
unserialize$newMata[ $item ] = unserialize( $value[ 0 ] );wpi_classes\ImmoMetaClass.php:50
unserialize$bilder = unserialize( $meta[ 'anhaenge' ][ 0 ] );wpi_classes\ListViewClass.php:366
unserialize$this->objektkategorie_array = unserialize( $this->meta['objektkategorie'][0] );wpi_classes\SingleViewClass.php:68
unserialize$this->geodaten = unserialize( $this->meta['geodaten'][0] );wpi_classes\SingleViewClass.php:69
unserialize$this->kontaktperson = unserialize( $this->meta['kontaktperson'][0] );wpi_classes\SingleViewClass.php:70
unserialize$this->preise = unserialize( $this->meta['preise'][0] );wpi_classes\SingleViewClass.php:71
unserialize$this->flaechen = unserialize( $this->meta['flaechen'][0] );wpi_classes\SingleViewClass.php:72
unserialize$this->ausstattung = unserialize( $this->meta['ausstattung'][0] );wpi_classes\SingleViewClass.php:73
unserialize$this->zustand_angaben = unserialize( $this->meta['zustand_angaben'][0] );wpi_classes\SingleViewClass.php:74
unserialize$this->anhaenge = unserialize( $this->meta['anhaenge'][0] );wpi_classes\SingleViewClass.php:75
unserialize$this->freitexte = unserialize( $this->meta['freitexte'][0] );wpi_classes\SingleViewClass.php:76
unserialize$this->verwaltung_objekt = unserialize( $this->meta['verwaltung_objekt'][0] );wpi_classes\SingleViewClass.php:77
unserialize$this->verwaltung_techn = unserialize( $this->meta['verwaltung_techn'][0] );wpi_classes\SingleViewClass.php:78
unserialize$kontaktperson = unserialize( $kontaktstr );wpi_view_objects.php:1083
unserialize$kontaktperson = unserialize( $kontaktperson );wpi_view_objects.php:1085
unserialize$anhaenge = unserialize( $meta[ 'anhaenge' ][ 0 ] );wpi_view_objects.php:1360
unserialize$objektkategorie_array = unserialize( $meta[ 'objektkategorie' ][ 0 ] );wpi_view_objects.php:1452
unserialize$geodaten = unserialize( $meta[ 'geodaten' ][ 0 ] );wpi_view_objects.php:1453
unserialize$kontaktperson = unserialize( $meta[ 'kontaktperson' ][ 0 ] );wpi_view_objects.php:1454
unserialize$preise = unserialize( $meta[ 'preise' ][ 0 ] );wpi_view_objects.php:1455
unserialize$flaechen = unserialize( $meta[ 'flaechen' ][ 0 ] );wpi_view_objects.php:1456
unserialize$ausstattung = unserialize( $meta[ 'ausstattung' ][ 0 ] );wpi_view_objects.php:1457
unserialize$zustand_angaben = unserialize( $meta[ 'zustand_angaben' ][ 0 ] );wpi_view_objects.php:1458
unserialize$anhaenge = unserialize( $meta[ 'anhaenge' ][ 0 ] );wpi_view_objects.php:1459
unserialize$freitexte = unserialize( $meta[ 'freitexte' ][ 0 ] );wpi_view_objects.php:1460
unserialize$verwaltung_objekt = unserialize( $meta[ 'verwaltung_objekt' ][ 0 ] );wpi_view_objects.php:1461
unserialize$verwaltung_techn = unserialize( $meta[ 'verwaltung_techn' ][ 0 ] );wpi_view_objects.php:1462
unserialize$objektkategorie_array = unserialize( $meta[ 'objektkategorie' ][ 0 ] );wpi_view_objects.php:1610
unserialize$geodaten = unserialize( $meta[ 'geodaten' ][ 0 ] );wpi_view_objects.php:1611
unserialize$kontaktperson = unserialize( $meta[ 'kontaktperson' ][ 0 ] );wpi_view_objects.php:1612
unserialize$preise = unserialize( $meta[ 'preise' ][ 0 ] );wpi_view_objects.php:1613
unserialize$flaechen = unserialize( $meta[ 'flaechen' ][ 0 ] );wpi_view_objects.php:1614
unserialize$ausstattung = unserialize( $meta[ 'ausstattung' ][ 0 ] );wpi_view_objects.php:1615
unserialize$zustand_angaben = unserialize( $meta[ 'zustand_angaben' ][ 0 ] );wpi_view_objects.php:1616
unserialize$anhaenge = unserialize( $meta[ 'anhaenge' ][ 0 ] );wpi_view_objects.php:1617
unserialize$freitexte = unserialize( $meta[ 'freitexte' ][ 0 ] );wpi_view_objects.php:1618
unserialize$verwaltung_objekt = unserialize( $meta[ 'verwaltung_objekt' ][ 0 ] );wpi_view_objects.php:1619
unserialize$verwaltung_techn = unserialize( $meta[ 'verwaltung_techn' ][ 0 ] );wpi_view_objects.php:1620

Bundled Libraries

jQuery3.5.1

SQL Query Safety

100% prepared6 total queries

Output Escaping

17% escaped1129 total outputs
Attack Surface
2 unprotected

WP Immo Manager Attack Surface

Entry Points6
Unprotected2

AJAX Handlers 2

authwp_ajax_wpi_valid_statuswpi_admin.php:185
noprivwp_ajax_wpi_valid_statuswpi_admin.php:186

Shortcodes 4

[umkreissuche] wpi_shortcodes.php:9
[search_filter_form] wpi_shortcodes.php:10
[one_immo_list] wpi_shortcodes.php:11
[immobilien] wpi_shortcodes.php:20
WordPress Hooks 38
actionadmin_menuwpi_admin.php:16
actionadmin_initwpi_admin.php:32
filtermanage_wpi_immobilie_posts_columnswpi_admin.php:52
actionmanage_wpi_immobilie_posts_custom_columnwpi_admin.php:53
actionwp_dashboard_setupwpi_admin.php:83
actionwp_enqueue_scriptswpi_admin.php:95
actionwp_enqueue_scriptswpi_admin.php:124
actionadmin_initwpi_admin.php:133
filterdashboard_glance_itemswpi_admin.php:137
filterexcerpt_morewpi_admin.php:167
actionadmin_noticeswpi_admin.php:221
actionwp_enqueue_scriptswpi_classes\components\FancyboxClass.php:18
actionwp_enqueue_scriptswpi_classes\components\FlexSliderClass.php:46
actionwp_enqueue_scriptswpi_classes\ShortcodesClass.php:102
actionwp_enqueue_scriptswpi_classes\ShortcodesClass.php:340
actionload-post.phpwpi_metaboxes.php:47
actionload-post-new.phpwpi_metaboxes.php:48
actionadd_meta_boxeswpi_metaboxes.php:54
actionsave_postwpi_metaboxes.php:55
actioninitwpi_post_type.php:148
actioninitwpi_post_type.php:149
actioninitwpi_post_type.php:150
actioninitwpi_post_type.php:151
filtercron_scheduleswpi_shedules.php:15
actionwpi_time_eventwpi_shedules.php:16
actionwpwpi_shedules.php:38
actionwpi_check_statuswpi_shedules.php:61
actionwp_footerwpi_shedules.php:64
actionwidgets_initwpi_shortcodes.php:13
actionwidgets_initwpi_shortcodes.php:22
actionwp_enqueue_scriptswpi_shortcodes.php:76
filterthe_contentwp_immo_manager.php:132
filterwidget_textwp_immo_manager.php:134
actionwp_enqueue_scriptswp_immo_manager.php:167
actionwp_enqueue_scriptswp_immo_manager.php:182
actionwp_enqueue_scriptswp_immo_manager.php:207
filterarchive_templatewp_immo_manager.php:217
filtersingle_templatewp_immo_manager.php:218

Scheduled Events 2

wpi_time_event
wpi_check_status
Maintenance & Trust

WP Immo Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedJul 4, 2024
PHP min version
Downloads10K

Community Trust

Rating100/100
Number of ratings8
Active installs100
Alternatives

WP Immo Manager Alternatives

Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung

Free Property Valuation (Lead Generator) / Kostenlose Immobilienbewertung

kostenlose-immobilienbewertung-lead-generator

A
92

Generate leads with free real estate valuations - for realtors and advertising agencies

700 No CVEs
immonex Kickstart

immonex Kickstart

immonex-kickstart

A
98

Essential components and add-on framework for embedding and searching/filtering imported OpenImmo-XML-based real estate offers

200 1 CVE
immonex Kickstart Team

immonex Kickstart Team

immonex-kickstart-team

A
98

immonex Kickstart add-on for handling, linking and embedding OpenImmo-XML-based real estate agent/agency information and contact forms

200 1 CVE
Immocaster WordPress Plugin

Immocaster WordPress Plugin

immocaster

C
61

Das Wordpress Plugin von Immocaster ermöglicht die Anzeige von Immobilien von ImmobilienScout24 im eingehen Blog.

10 1 unpatched
Grundly – Immobilienbewertung und Wertermittlung für Makler

Grundly – Immobilienbewertung und Wertermittlung für Makler

grundly-immobilienbewertung-wertermittlung-fuer-makler

A
100

Property valuation lead generator for real estate agents. Add the Grundly widget with shortcode and collect homeowner leads in minutes.

0 No CVEs
Developer Profile

WP Immo Manager Developer Profile

Media-Store.net

2 plugins · 110 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Immo Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-immo-manager/scss/main.css/wp-content/plugins/wp-immo-manager/bootstrap-3.3.0/dist/css/bootstrap.css/wp-content/plugins/wp-immo-manager/bootstrap-3.3.0/dist/js/bootstrap.js/wp-content/plugins/wp-immo-manager/js/main.js
Script Paths
https://use.fontawesome.com/a043743ff2.js

HTML / DOM Fingerprints

CSS Classes
wpi_immobilie-countread-more-link
HTML Comments
<!-- Options registrieren --><!-- Validation Function --><!-- Admin-Notice to v3 Version -->
Data Attributes
data-wp-bind
JS Globals
WPI_PLUGIN_URL
Shortcode Output
[immobilien id=
FAQ

Frequently Asked Questions about WP Immo Manager