WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1101 | Simple Ajax Chat – Add a Fast, Secure Chat Box | 32 | 108 | 266 | 2k+ | Output is not escaped | |
| #1102 | Page Builder by SiteOrigin | 32 | 224 | 212 | 500k+ | Output is not escaped | |
| #1103 | Split Test For Elementor | 32 | 98 | 132 | 3k+ | Non-prefixed global variable | |
| #1104 | Stock Sync for WooCommerce | 32 | 362 | 232 | 1k+ | Text Domain Mismatch | |
| #1105 | Subscribe2 – Form, Email Subscribers & Newsletters | 32 | 32 | 410 | 10k+ | Direct Query | |
| #1106 | Theme My Login | 32 | 251 | 549 | 60k+ | Non-prefixed function | |
| #1107 | Ultimate Store Kit – Addon For WooCommerce, EDD and Elementor | 32 | 57 | 293 | 4k+ | Post Not In exclude | |
| #1108 | Unbounce Landing Pages | 32 | 169 | 86 | 10k+ | Output is not escaped | |
| #1109 | Secure Client Portal and Private File Sharing Plugin – User Private Files | 32 | 183 | 510 | 1k+ | Non-prefixed global variable | |
| #1110 | WebwinkelKeur: Webshop keurmerk & reviews for WordPress | 32 | 200 | 47 | 4k+ | Short PHP open tag found | |
| #1111 | BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net | 32 | 5 | 933 | 40k+ | Non-prefixed global variable | |
| #1112 | WP 2-step verification | 32 | 154 | 65 | 1k+ | Output is not escaped | |
| #1113 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | |
| #1114 | wp-jalali | 32 | 219 | 66 | 10k+ | Text Domain Mismatch | |
| #1115 | SEOPress – AI SEO Plugin & On-site SEO | 32 | 138 | 429 | 300k+ | Non-prefixed global variable | |
| #1116 | WP-Stats | 32 | 237 | 126 | 2k+ | Output is not escaped | |
| #1117 | Privacy Policy Generator – WPLP Legal Pages | 32 | 26 | 409 | 10k+ | Non-prefixed global variable | |
| #1118 | Dynamic XML Sitemaps Generator for Google | 32 | 74 | 411 | 20k+ | Non-prefixed global variable | |
| #1119 | Extra Product Options Builder for WooCommerce | 33 | 101 | 155 | 2k+ | Non-prefixed hook name | |
| #1120 | Advanced Forms for ACF | 33 | 169 | 278 | 3k+ | Non-prefixed hook name | |
| #1121 | Arconix Shortcodes | 33 | 129 | 107 | 4k+ | Output is not escaped | |
| #1122 | Premium Portfolio Features for Phlox theme | 33 | 204 | 137 | 40k+ | Output is not escaped | |
| #1123 | AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth | 33 | 33 | 229 | 9k+ | Non-prefixed global variable | |
| #1124 | Ultimate Before After Image Slider & Gallery – BEAF | 33 | 488 | 87 | 30k+ | Text Domain Mismatch | |
| #1125 | Five Star Business Profile and Schema | 33 | 289 | 138 | 7k+ | Output is not escaped | |
| #1126 | Nexi XPay | 33 | 496 | 277 | 6k+ | Text Domain Mismatch | |
| #1127 | CartPops – High Converting Add To Cart Popup For WooCommerce | 33 | 63 | 188 | 4k+ | Non-prefixed global variable | |
| #1128 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non-prefixed global variable | |
| #1129 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 33 | 57 | 204 | 1k+ | Non-prefixed global variable | |
| #1130 | Civic Cookie Control | 33 | 1,881 | 219 | 2k+ | Text Domain Mismatch | |
| #1131 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output is not escaped | |
| #1132 | Companion Auto Update | 33 | 159 | 298 | 50k+ | Direct Query | |
| #1133 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | |
| #1134 | Contact Form Plugin | 33 | 47 | 220 | 2k+ | Non-prefixed function | |
| #1135 | Login & Register Customizer – Popup | Slider | Inline | WooCommerce | 33 | 265 | 230 | 40k+ | Output is not escaped | |
| #1136 | Easy Timer | 33 | 78 | 450 | 1k+ | Non-prefixed global variable | |
| #1137 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | |
| #1138 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | |
| #1139 | WP GIF Uploader | 33 | 117 | 44 | 1k+ | Text Domain Mismatch | |
| #1140 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated | |
| #1141 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | |
| #1142 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | |
| #1143 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | |
| #1144 | IP2Location Redirection | 33 | 194 | 115 | 8k+ | Output is not escaped | |
| #1145 | ITRO Popup Plugin | 33 | 591 | 135 | 6k+ | Output is not escaped | |
| #1146 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output is not escaped | |
| #1147 | Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | 33 | 274 | 106 | 3k+ | Text Domain Mismatch | |
| #1148 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | |
| #1149 | Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | 33 | 71 | 133 | 2k+ | Missing direct file access protection | |
| #1150 | MailUp for WordPress – Email and Newsletter Subscription Form | 33 | 251 | 100 | 2k+ | Text Domain Mismatch |
