WP-Safety

WPCasa Security & Risk Analysis

wordpress.org/plugins/wpcasa

Flexible WordPress plugin to create professional real estate websites and manage property listings with ease.

1K active installs v1.4.3 PHP 7.2+ WP 6.2+ Updated Nov 14, 2025
listingspropertyreal-estaterealtorrental
90
A · Safe
CVEs total4
Unpatched0
Last CVEOct 16, 2025
Plugin page Download
Safety Verdict

Is WPCasa Safe to Use in 2026?

Generally Safe

Score 90/100

WPCasa has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Oct 16, 2025Updated 4mo ago
Risk Assessment

The plugin 'wpcasa' v1.4.3 presents a mixed security posture. On one hand, it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, along with a decent number of nonce and capability checks. This suggests an awareness of common web security vulnerabilities. However, the presence of 7 flows with unsanitized paths in the taint analysis is a significant concern, even if no critical or high severity vulnerabilities were identified in this specific analysis. The historical vulnerability data, including one past critical CVE and three medium CVEs, points to a history of security weaknesses. The common vulnerability types (Code Injection, XSS, Authorization Bypass) are serious and indicate recurring issues with input validation and access control. While no currently unpatched CVEs are listed, the past severity of vulnerabilities and the taint analysis findings warrant caution.

Key Concerns

  • 7 flows with unsanitized paths
  • Past critical CVE history
  • Past medium CVE history (3)
  • Common vulnerability types (Code Inj, XSS, Auth Bypass)
Vulnerabilities
4

WPCasa Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
3

4 total CVEs

CVE-2025-62043medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCasa <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 16, 2025 Patched in 1.4.2 (7d)
CVE-2025-9321critical · 9.8Improper Control of Generation of Code ('Code Injection')

WPCasa <= 1.4.1 - Unauthenticated Code Injection

Sep 22, 2025 Patched in 1.4.2 (1d)
CVE-2025-39575medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPCasa <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 1.4.0 (7d)
CVE-2024-53826medium · 5.3Authorization Bypass Through User-Controlled Key

WPCasa <= 1.2.13 - Insecure Direct Object Reference

Dec 2, 2024 Patched in 1.3.0 (11d)
Code Analysis
Analyzed Mar 16, 2026

WPCasa Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
30 prepared
Unescaped Output
124
1017 escaped
Nonce Checks
12
Capability Checks
18
File Operations
0
External Requests
6
Bundled Libraries
0

SQL Query Safety

97% prepared31 total queries

Output Escaping

89% escaped1141 total outputs
Data Flows
7 unsanitized

Data Flow Analysis

13 flows7 with unsanitized paths
approved_notice (includes\admin\class-wpsight-cpt.php:705)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WPCasa Attack Surface

Entry Points6
Unprotected0

Shortcodes 6

[wpsight_listings_map] includes\listings-map\includes\class-wpsight-listings-map-shortcode.php:15
[wpsight_listing] includes\shortcodes\class-wpsight-shortcode-listing-single.php:12
[wpsight_listing_teaser] includes\shortcodes\class-wpsight-shortcode-listing-teaser.php:12
[wpsight_listing_teasers] includes\shortcodes\class-wpsight-shortcode-listing-teasers.php:12
[wpsight_listings_search] includes\shortcodes\class-wpsight-shortcode-listings-search.php:12
[wpsight_listings] includes\shortcodes\class-wpsight-shortcode-listings.php:12
WordPress Hooks 108
actionadmin_initincludes\admin\class-wpsight-admin-color-scheme.php:16
actionadmin_headincludes\admin\class-wpsight-admin-color-scheme.php:18
actionadmin_headincludes\admin\class-wpsight-admin-color-scheme.php:19
actionadmin_initincludes\admin\class-wpsight-admin-page-licenses.php:14
actionadmin_initincludes\admin\class-wpsight-admin-page-licenses.php:15
actionadmin_initincludes\admin\class-wpsight-admin-page-licenses.php:16
actionadmin_initincludes\admin\class-wpsight-admin-page-settings.php:23
filteradmin_body_classincludes\admin\class-wpsight-admin-page-settings.php:24
actionadmin_post_reset_settingsincludes\admin\class-wpsight-admin-page-settings.php:26
actionadmin_post_migrate_dataincludes\admin\class-wpsight-admin-page-settings.php:27
actionadmin_post_delete_all_dataincludes\admin\class-wpsight-admin-page-settings.php:29
actionadmin_menuincludes\admin\class-wpsight-admin.php:45
actionadmin_enqueue_scriptsincludes\admin\class-wpsight-admin.php:46
actionadmin_noticesincludes\admin\class-wpsight-admin.php:48
actionadmin_noticesincludes\admin\class-wpsight-admin.php:49
filterviews_uploadincludes\admin\class-wpsight-admin.php:51
filterviews_edit-listingincludes\admin\class-wpsight-admin.php:52
filterviews_edit-propertyincludes\admin\class-wpsight-admin.php:53
filtermanage_users_columnsincludes\admin\class-wpsight-admin.php:54
actionmanage_users_custom_columnincludes\admin\class-wpsight-admin.php:55
filterinstall_plugins_tabsincludes\admin\class-wpsight-admin.php:57
actioninstall_plugins_wpcasa_addonsincludes\admin\class-wpsight-admin.php:58
actioninstall_themes_wpcasa_themesincludes\admin\class-wpsight-admin.php:59
actioninstall_plugins_wpcasa_recommendationsincludes\admin\class-wpsight-admin.php:60
actionpersonal_options_updateincludes\admin\class-wpsight-agents.php:15
actionedit_user_profile_updateincludes\admin\class-wpsight-agents.php:16
actionpre_get_postsincludes\admin\class-wpsight-agents.php:18
filterwp_count_attachmentsincludes\admin\class-wpsight-agents.php:19
filtermanage_edit-listing_columnsincludes\admin\class-wpsight-cpt.php:18
actionmanage_listing_posts_custom_columnincludes\admin\class-wpsight-cpt.php:19
filtermanage_edit-listing_sortable_columnsincludes\admin\class-wpsight-cpt.php:20
filterrequestincludes\admin\class-wpsight-cpt.php:21
filterpost_updated_messagesincludes\admin\class-wpsight-cpt.php:25
filterbulk_post_updated_messagesincludes\admin\class-wpsight-cpt.php:26
actionadmin_footer-edit.phpincludes\admin\class-wpsight-cpt.php:30
actionload-edit.phpincludes\admin\class-wpsight-cpt.php:31
actionadmin_initincludes\admin\class-wpsight-cpt.php:35
actionadmin_initincludes\admin\class-wpsight-cpt.php:36
actionadmin_initincludes\admin\class-wpsight-cpt.php:37
actionadmin_initincludes\admin\class-wpsight-cpt.php:38
actionadmin_noticesincludes\admin\class-wpsight-cpt.php:42
actionadmin_noticesincludes\admin\class-wpsight-cpt.php:43
actionadmin_noticesincludes\admin\class-wpsight-cpt.php:44
actionadmin_noticesincludes\admin\class-wpsight-cpt.php:45
actionrestrict_manage_postsincludes\admin\class-wpsight-cpt.php:49
filterparse_queryincludes\admin\class-wpsight-cpt.php:50
actionrestrict_manage_postsincludes\admin\class-wpsight-cpt.php:53
actionrestrict_manage_postsincludes\admin\class-wpsight-cpt.php:56
actionparse_requestincludes\admin\class-wpsight-cpt.php:60
actionparse_requestincludes\admin\class-wpsight-cpt.php:61
actionparse_request_listing_idincludes\admin\class-wpsight-cpt.php:62
filteradmin_headincludes\admin\class-wpsight-cpt.php:65
filterget_search_queryincludes\admin\class-wpsight-cpt.php:1561
actioninitincludes\admin-map-ui\class-wpsight-admin-map-ui.php:33
actionwpsight_initincludes\admin-map-ui\class-wpsight-admin-map-ui.php:75
filtercmb2_render_mapincludes\admin-map-ui\includes\admin\class-wpsight-admin-map-ui-admin.php:16
filtercmb2_sanitize_mapincludes\admin-map-ui\includes\admin\class-wpsight-admin-map-ui-admin.php:17
filterwpsight_meta_box_listing_location_fieldsincludes\admin-map-ui\includes\admin\class-wpsight-admin-map-ui-admin.php:20
filterpre_get_postsincludes\class-wpsight-agents.php:14
filterget_avatarincludes\class-wpsight-agents.php:15
filterquery_varsincludes\class-wpsight-api.php:22
actionparse_requestincludes\class-wpsight-api.php:25
filterwpsight_detailsincludes\class-wpsight-general.php:14
filterwpsight_rental_periodsincludes\class-wpsight-general.php:15
filterinitincludes\class-wpsight-general.php:16
filterinitincludes\class-wpsight-general.php:17
actionwpsight_update_listing_dataincludes\class-wpsight-geocode.php:24
actionwpsight_listing_location_editedincludes\class-wpsight-geocode.php:27
filterget_meta_sqlincludes\class-wpsight-helpers.php:14
actioninitincludes\class-wpsight-helpers.php:15
actionadmin_enqueue_scriptsincludes\class-wpsight-meta-boxes.php:20
actioncmb2_admin_initincludes\class-wpsight-meta-boxes.php:23
actionwp_insert_postincludes\class-wpsight-meta-boxes.php:26
actionsave_postincludes\class-wpsight-meta-boxes.php:29
actionadd_meta_boxes_listingincludes\class-wpsight-meta-boxes.php:43
actioninitincludes\class-wpsight-post-types.php:17
actioninitincludes\class-wpsight-post-types.php:20
actionloop_startincludes\class-wpsight-post-types.php:24
actionloop_endincludes\class-wpsight-post-types.php:25
actionloop_startincludes\class-wpsight-post-types.php:29
actionloop_endincludes\class-wpsight-post-types.php:30
actionwp_insert_postincludes\class-wpsight-post-types.php:37
actionwpsight_delete_listing_previewsincludes\class-wpsight-post-types.php:40
filterquery_varsincludes\class-wpsight-post-types.php:49
actiontemplate_redirectincludes\class-wpsight-post-types.php:50
actionwpsight_head_printincludes\class-wpsight-post-types.php:52
filterwpsight_head_printincludes\class-wpsight-post-types.php:53
filterwp_insert_post_dataincludes\class-wpsight-post-types.php:57
actionpre_get_postsincludes\class-wpsight-search.php:15
actioninitincludes\class-wpsight-search.php:16
actioninitincludes\listings-map\class-wpsight-listings-map.php:51
actionadmin_initincludes\listings-map\class-wpsight-listings-map.php:52
actionwp_enqueue_scriptsincludes\listings-map\class-wpsight-listings-map.php:53
actionwpsight_listings_panel_actionsincludes\listings-map\class-wpsight-listings-map.php:56
filterwpsight_get_panelincludes\listings-map\class-wpsight-listings-map.php:59
actionwpsight_initincludes\listings-map\class-wpsight-listings-map.php:247
filterwpsight_options_mapsincludes\listings-map\includes\admin\class-wpsight-listings-map-admin.php:19
filterwpsight_optionsincludes\listings-map\includes\admin\class-wpsight-listings-map-admin.php:24
filterwpsight_meta_box_listing_location_fieldsincludes\listings-map\includes\admin\class-wpsight-listings-map-admin.php:29
filterwidget_textincludes\shortcodes\class-wpsight-shortcodes.php:29
actionswitch_themewpcasa.php:177
actionswitch_themewpcasa.php:178
actionwp_enqueue_scriptswpcasa.php:179
actionadmin_noticeswpcasa.php:368
actionadmin_noticeswpcasa.php:422
actionadmin_initwpcasa.php:445
actionin_plugin_update_message-wpcasa/wpcasa.phpwpcasa.php:467
actionadmin_initwpcasa.php:485

Scheduled Events 1

wpsight_delete_listing_previews
Maintenance & Trust

WPCasa Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 14, 2025
PHP min version7.2
Downloads51K

Community Trust

Rating82/100
Number of ratings34
Active installs1K
Alternatives

WPCasa Alternatives

Easy Property Listings

Easy Property Listings

easy-property-listings

D
42

Fast. Flexible. Forward-thinking solution for real estate agents using WordPress. Built for scale, listing management and works with any theme.

5K 2 unpatched
Spacento – Property listings for Real estate agents

Spacento – Property listings for Real estate agents

spacento

A
92

Create real estate listings website. Add property, get leads.

0 No CVEs
Essential Real Estate

Essential Real Estate

essential-real-estate

F
17

Completely plugins Real Estate. Management system which allows you to own and maintain a real estate marketplace, intro website.

8K 3 unpatched
Diverse Solutions IDX Real Estate Listings & MLS Search

Diverse Solutions IDX Real Estate Listings & MLS Search

dsidxpress

A
100

Easily add mobile and SEO-friendly MLS listings to your website to attract & engage visitors, plus lead capture tools to turn them into clients.

1K 1 CVE
Real Estate Manager – Property Listing and Agent Management

Real Estate Manager – Property Listing and Agent Management

real-estate-manager

F
12

A comprehensive WordPress plugin designed to create feature-rich real estate websites and portals including Agent Management System.

700 8 unpatched
Developer Profile

WPCasa Developer Profile

WPSight

10 plugins · 3K total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect WPCasa

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpcasa/assets/js/jquery.tipTip.js/wp-content/plugins/wpcasa/assets/js/jquery.cookie.js/wp-content/plugins/wpcasa/assets/css/wpcasa.css
Script Paths
/wp-content/plugins/wpcasa/assets/js/jquery.tipTip.js/wp-content/plugins/wpcasa/assets/js/jquery.cookie.js
Version Parameters
wpcasa/assets/js/jquery.tipTip.js?ver=wpcasa/assets/js/jquery.cookie.js?ver=wpcasa/assets/css/wpcasa.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpsight-property-listing
HTML Comments
<!-- BEGIN Shortcode: wpsight_listings --><!-- END Shortcode: wpsight_listings -->
Data Attributes
data-wpsight-map-latdata-wpsight-map-lngdata-wpsight-map-zoom
JS Globals
WPSightMap
REST Endpoints
/wp-json/wpcasa/v1/listings
Shortcode Output
<div class="wpsight-listings">
FAQ

Frequently Asked Questions about WPCasa