WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1151 | Loginfy – Custom Login Page Customizer | 28 | 338 | 398 | 2k+ | Output is not escaped | ||
| #1152 | Media Hygiene: Remove or Delete Unused Images and More! | 28 | 654 | 309 | 5k+ | Non Singular String Literal Domain | ||
| #1153 | درگاه پرداخت بانک ملت ووکامرس | 28 | 61 | 130 | 2k+ | Request data is not unslashed | ||
| #1154 | My auctions allegro | 28 | 483 | 235 | 500 | Non Singular String Literal Domain | ||
| #1155 | My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) | 28 | 161 | 400 | 100k+ | Non-prefixed global variable | ||
| #1156 | Notification – Custom Notifications and Alerts for WordPress | 28 | 186 | 219 | 10k+ | Non-prefixed global variable | ||
| #1157 | Notification for Telegram | 28 | 189 | 93 | 4k+ | Output is not escaped | ||
| #1158 | Store Hours for WooCommerce | 28 | 525 | 60 | 2k+ | Output is not escaped | ||
| #1159 | Order Tracking – WordPress Status Tracking Plugin | 28 | 619 | 772 | 3k+ | Unsafe printing function | ||
| #1160 | PDF for Contact Form 7 + Drag and Drop Template Builder | 28 | 674 | 101 | 500 | wp function not compatible with requires wp | ||
| #1161 | ووکامرس فارسی | 28 | 157 | 215 | 90k+ | Output is not escaped | ||
| #1162 | افزونه حمل و نقل ووکامرس | پست پیشتاز، تیپاکس و پیک موتوری | 28 | 131 | 190 | 20k+ | Missing nonce verification | ||
| #1163 | PHP Browser Detection | 28 | 68 | 49 | 600 | Non-prefixed function | ||
| #1164 | Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery | 28 | 143 | 258 | 5k+ | Post Not In exclude | ||
| #1165 | Autopay | 28 | 754 | 370 | 3k+ | Text Domain Mismatch | ||
| #1166 | PushAlert – Web Push Notifications for WordPress and WooCommerce | 28 | 196 | 63 | 1k+ | curl curl setopt | ||
| #1167 | Query Wrangler | 28 | 628 | 229 | 700 | Output is not escaped | ||
| #1168 | Rating by BestWebSoft | 28 | 509 | 218 | 500 | Text Domain Mismatch | ||
| #1169 | ReDi Restaurant Reservation – Instant Availability & Confirmation | 28 | 1,013 | 239 | 800 | Unsafe printing function | ||
| #1170 | Responsive Lightbox & Gallery | 28 | 139 | 513 | 100k+ | Non-prefixed hook name | ||
| #1171 | Brilliant Web-to-Lead for Salesforce | 28 | 247 | 244 | 2k+ | Text Domain Mismatch | ||
| #1172 | Secure Downloads | 28 | 616 | 406 | 600 | Output is not escaped | ||
| #1173 | Praison AI SEO | 28 | 643 | 306 | 1k+ | Text Domain Mismatch | ||
| #1174 | Transliterator – Multilingual and Multi-script Text Conversion | 28 | 305 | 320 | 3k+ | Output is not escaped | ||
| #1175 | Slider Pro | 28 | 583 | 527 | 4k+ | Unsafe printing function | ||
| #1176 | Sparkle Demo Importer | 28 | 307 | 166 | 6k+ | Text Domain Mismatch | ||
| #1177 | Tab – Accordion, FAQ | 28 | 104 | 542 | 1k+ | Non-prefixed global variable | ||
| #1178 | Temporary Login Without Password | 28 | 128 | 131 | 100k+ | wp function not compatible with requires wp | ||
| #1179 | Terms descriptions | 28 | 222 | 423 | 1k+ | Non-prefixed function | ||
| #1180 | Themesflat Addons For Elementor | 28 | 714 | 227 | 40k+ | Output is not escaped | ||
| #1181 | Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor | 28 | 291 | 292 | 20k+ | Output is not escaped | ||
| #1182 | Ultimate FAQ Accordion Plugin | 28 | 386 | 227 | 30k+ | Unsafe printing function | ||
| #1183 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #1184 | VG WORT METIS | 28 | 150 | 317 | 900 | Nonce verification recommended | ||
| #1185 | WC Fields Factory | 28 | 194 | 369 | 7k+ | Nonce verification recommended | ||
| #1186 | WeeConnectPay – Clover Payment Gateway for WooCommerce | 28 | 179 | 169 | 500 | Exception output is not escaped | ||
| #1187 | PayZen for WooCommerce | 28 | 258 | 214 | 600 | Output is not escaped | ||
| #1188 | Product Gallery Slider, Additional Variation Images for WooCommerce | 28 | 552 | 316 | 20k+ | Output is not escaped | ||
| #1189 | Dynamic Product Gallery for WooCommerce | 28 | 414 | 303 | 1k+ | Output is not escaped | ||
| #1190 | Email Inquiry & Cart Options for WooCommerce | 28 | 194 | 291 | 800 | Output is not escaped | ||
| #1191 | Product Sort and Display for WooCommerce | 28 | 199 | 235 | 2k+ | Output is not escaped | ||
| #1192 | WP GoToWebinar | 28 | 207 | 207 | 700 | Non-prefixed function | ||
| #1193 | WP Mapbox GL JS Maps | 28 | 104 | 119 | 1k+ | Output is not escaped | ||
| #1194 | Connect Matomo – Analytics Dashboard for WordPress | 28 | 100 | 102 | 60k+ | Missing Translators Comment | ||
| #1195 | WP Travel Gutenberg Blocks | 28 | 485 | 157 | 900 | Output is not escaped | ||
| #1196 | WhyDonate – FREE Donate button – Crowdfunding – Fundraising | 28 | 216 | 328 | 800 | Non-prefixed global variable | ||
| #1197 | WP YouTube Lyte | 28 | 204 | 178 | 30k+ | Non-prefixed global variable | ||
| #1198 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 174 | 226 | 5k+ | Output is not escaped | ||
| #1199 | WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) | 28 | 209 | 217 | 10k+ | Exception output is not escaped | ||
| #1200 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped |
