WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1001 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output Not Escaped | |
| #1002 | WP Rocket | Simple LoadCSS Preloader | 35 | 7 | 16 | 4k+ | Non Prefixed Variable Found | |
| #1003 | AI Popup Builder & Popup Maker by OptiMonk | 35 | 81 | 65 | 4k+ | Text Domain Mismatch | |
| #1004 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe Printing Function | |
| #1005 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output Not Escaped | |
| #1006 | Instant Indexing for Google | 35 | 13 | 62 | 200k+ | Non Prefixed Variable Found | |
| #1007 | Flat Preloader | 35 | 40 | 15 | 3k+ | Output Not Escaped | |
| #1008 | Flying Analytics: Self-Host Google Analytics v4 with Speed Optimization | 35 | 17 | 13 | 5k+ | missing direct file access protection | |
| #1009 | Events Calendar by FooEvents | 35 | 56 | 59 | 4k+ | Non Prefixed Variable Found | |
| #1010 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output Not Escaped | |
| #1011 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | |
| #1012 | Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery | 35 | 50 | 199 | 10k+ | Non Prefixed Variable Found | |
| #1013 | GDPR Compliance & Cookie Consent | 35 | 251 | 61 | 4k+ | Output Not Escaped | |
| #1014 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | |
| #1015 | Heartbeat Control | 35 | 27 | 18 | 80k+ | Missing Arg Domain | |
| #1016 | HivePress – Business Directory, Listings & Classified Ads Plugin | 35 | 38 | 180 | 10k+ | Direct Query | |
| #1017 | HookMeUp for WooCommerce | 35 | 59 | 29 | 10k+ | Output Not Escaped | |
| #1018 | Image Slider | 35 | 192 | 95 | 4k+ | Output Not Escaped | |
| #1019 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe Printing Function | |
| #1020 | User Import with meta – WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated Not Prepared | |
| #1021 | InPost PL | 35 | 2 | 925 | 10k+ | Non Prefixed Variable Found | |
| #1022 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output Not Escaped | |
| #1023 | Instant CSS | 35 | 25 | 25 | 3k+ | Output Not Escaped | |
| #1024 | Instapage Plugin | 35 | 220 | 45 | 5k+ | Output Not Escaped | |
| #1025 | JetStyleManager for Gutenberg | 35 | 20 | 64 | 20k+ | Recommended | |
| #1026 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output Not Escaped | |
| #1027 | JWT Auth – WordPress JSON Web Token Authentication | 35 | 14 | 18 | 6k+ | Output Not Escaped | |
| #1028 | Kirki – Freeform Page Builder, Website Builder & Customizer | 35 | 775 | 500k+ | Recommended | ||
| #1029 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output Not Escaped | |
| #1030 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 273 | 127 | 5k+ | Output Not Escaped | |
| #1031 | MainWP Child Reports | 35 | 49 | 116 | 100k+ | Non Prefixed Hookname Found | |
| #1032 | Map Block for Google Maps | 35 | 6 | 5 | 20k+ | hidden files | |
| #1033 | Mechanic Visitor Counter | 35 | 240 | 66 | 8k+ | Output Not Escaped | |
| #1034 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output Not Escaped | |
| #1035 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe Printing Function | |
| #1036 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output Not Escaped | |
| #1037 | OSM Map Widget for Elementor | 35 | 183 | 14 | 9k+ | Text Domain Mismatch | |
| #1038 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | |
| #1039 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output Not Escaped | |
| #1040 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | Not Prepared | |
| #1041 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 173 | 34 | 20k+ | Output Not Escaped | |
| #1042 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non Prefixed Variable Found | |
| #1043 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output Not Escaped | |
| #1044 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non Prefixed Variable Found | |
| #1045 | Reveal IDs | 35 | 23 | 13 | 40k+ | Output Not Escaped | |
| #1046 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output Not Escaped | |
| #1047 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 82 | 1m+ | Missing Unslash | |
| #1048 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | |
| #1049 | Shortcake (Shortcode UI) | 35 | 9 | 39 | 10k+ | Missing Unslash | |
| #1050 | Side Cart Woocommerce | Woocommerce Cart | 35 | 455 | 70 | 80k+ | Output Not Escaped |
