WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1051 | Theme My Login | 32 | 251 | 549 | 60k+ | Non Prefixed Function Found | |
| #1052 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | |
| #1053 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output Not Escaped | |
| #1054 | Secure Client Portal and Private File Sharing Plugin – User Private Files | 32 | 183 | 510 | 1k+ | Non Prefixed Variable Found | |
| #1055 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Echo Found | |
| #1056 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | 32 | 5 | 933 | 40k+ | Non Prefixed Variable Found | |
| #1057 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output Not Escaped | |
| #1058 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic Hookname Found | |
| #1059 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | |
| #1060 | SEOPress – AI SEO Plugin & On-site SEO | 32 | 138 | 429 | 300k+ | Non Prefixed Variable Found | |
| #1061 | WP-Stats | 32 | 237 | 126 | 2k+ | Output Not Escaped | |
| #1062 | Privacy Policy Generator – WPLP Legal Pages | 32 | 26 | 396 | 10k+ | Non Prefixed Variable Found | |
| #1063 | Extra Product Options Builder for WooCommerce | 33 | 101 | 155 | 2k+ | Non Prefixed Hookname Found | |
| #1064 | Advanced Forms for ACF | 33 | 169 | 278 | 3k+ | Non Prefixed Hookname Found | |
| #1065 | Arconix Shortcodes | 33 | 129 | 107 | 4k+ | Output Not Escaped | |
| #1066 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output Not Escaped | |
| #1067 | AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | 33 | 33 | 229 | 9k+ | Non Prefixed Variable Found | |
| #1068 | Ultimate Before After Image Slider & Gallery – BEAF | 33 | 484 | 87 | 30k+ | Text Domain Mismatch | |
| #1069 | Five Star Business Profile and Schema | 33 | 289 | 138 | 7k+ | Output Not Escaped | |
| #1070 | Nexi XPay | 33 | 496 | 277 | 6k+ | Text Domain Mismatch | |
| #1071 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non Prefixed Variable Found | |
| #1072 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 33 | 57 | 204 | 1k+ | Non Prefixed Variable Found | |
| #1073 | Civic Cookie Control | 33 | 1,881 | 219 | 2k+ | Text Domain Mismatch | |
| #1074 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output Not Escaped | |
| #1075 | Companion Auto Update | 33 | 159 | 298 | 50k+ | Direct Query | |
| #1076 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | |
| #1077 | Contact Form Plugin | 33 | 47 | 220 | 2k+ | Non Prefixed Function Found | |
| #1078 | Cooked – Recipe Management | 33 | 412 | 271 | 3k+ | Output Not Escaped | |
| #1079 | Login & Register Customizer – Popup | Slider | Inline | WooCommerce | 33 | 265 | 230 | 40k+ | Output Not Escaped | |
| #1080 | Easy Timer | 33 | 78 | 450 | 1k+ | Non Prefixed Variable Found | |
| #1081 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input Not Validated | |
| #1082 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 33 | 101 | 289 | 30k+ | Non Prefixed Variable Found | |
| #1083 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | |
| #1084 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe Printing Function | |
| #1085 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | |
| #1086 | IP2Location Redirection | 33 | 194 | 115 | 8k+ | Output Not Escaped | |
| #1087 | ITRO Popup Plugin | 33 | 591 | 135 | 6k+ | Output Not Escaped | |
| #1088 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output Not Escaped | |
| #1089 | Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | 33 | 274 | 106 | 3k+ | Text Domain Mismatch | |
| #1090 | LWSCache | 33 | 47 | 104 | 6k+ | Non Prefixed Variable Found | |
| #1091 | Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | 33 | 71 | 133 | 2k+ | missing direct file access protection | |
| #1092 | MailUp for WordPress – Email and Newsletter Subscription Form | 33 | 251 | 100 | 2k+ | Text Domain Mismatch | |
| #1093 | MAS Companies For WP Job Manager | 33 | 62 | 308 | 1k+ | Non Prefixed Hookname Found | |
| #1094 | Members – Membership & User Role Editor Plugin | 33 | 234 | 244 | 300k+ | Output Not Escaped | |
| #1095 | Merge + Minify + Refresh | 33 | 78 | 26 | 4k+ | date date | |
| #1096 | News Announcement Scroll | 33 | 237 | 259 | 2k+ | Non Prefixed Variable Found | |
| #1097 | Payflex Payment Gateway | 33 | 181 | 61 | 1k+ | Text Domain Mismatch | |
| #1098 | PeproDev WooCommerce Receipt Uploader | 33 | 325 | 49 | 1k+ | Non Singular String Literal Domain | |
| #1099 | PhonePe Payment Solutions | 33 | 76 | 105 | 10k+ | missing direct file access protection | |
| #1100 | Pixelgrade Assistant | 33 | 665 | 141 | 2k+ | Text Domain Mismatch |
