WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1201 | WP YouTube Lyte | 28 | 204 | 178 | 30k+ | Non-prefixed global variable | ||
| #1202 | WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce | 28 | 177 | 226 | 5k+ | Output is not escaped | ||
| #1203 | WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN) | 28 | 209 | 217 | 10k+ | Exception output is not escaped | ||
| #1204 | WPS Bidouille | 28 | 472 | 215 | 10k+ | Output is not escaped | ||
| #1205 | WP Synchro – The Ultimate WordPress Migration Tool | 28 | 243 | 244 | 2k+ | Missing Translators Comment | ||
| #1206 | WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买 | 28 | 57 | 138 | 500 | Request data is not unslashed | ||
| #1207 | Accordion Slider | 29 | 391 | 447 | 2k+ | Unsafe printing function | ||
| #1208 | Accordion Slider Gallery | 29 | 379 | 142 | 1k+ | Text Domain Mismatch | ||
| #1209 | Advance coupon for WooCommerce | 29 | 472 | 241 | 900 | Text Domain Mismatch | ||
| #1210 | Adminimize | 29 | 296 | 691 | 200k+ | Non-prefixed global variable | ||
| #1211 | AL Pack | 29 | 13 | 816 | 2k+ | Non-prefixed global variable | ||
| #1212 | Alt Text AI – Automatically generate image alt text for SEO and accessibility | 29 | 72 | 280 | 20k+ | Non-prefixed global variable | ||
| #1213 | AppPresser – Mobile App Framework | 29 | 262 | 214 | 1k+ | Text Domain Mismatch | ||
| #1214 | aThemeArt Theme Helper | 29 | 206 | 151 | 2k+ | Non-prefixed global variable | ||
| #1215 | Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version) | 29 | 481 | 313 | 2k+ | Text Domain Mismatch | ||
| #1216 | Better Google Analytics | 29 | 376 | 869 | 2k+ | Non-prefixed global variable | ||
| #1217 | Bitcoin Payments – Blockonomics | 29 | 208 | 227 | 2k+ | Output is not escaped | ||
| #1218 | Plugin BlueX for WooCommerce | 29 | 431 | 216 | 2k+ | Text Domain Mismatch | ||
| #1219 | Branded Social Images – Open Graph Images with logo and extra text layer | 29 | 254 | 92 | 900 | Non Singular String Literal Domain | ||
| #1220 | Businessx Extensions | 29 | 337 | 529 | 1k+ | Non-prefixed function | ||
| #1221 | Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms | 29 | 236 | 369 | 2k+ | Non-prefixed global variable | ||
| #1222 | Chained Quiz | 29 | 1,132 | 721 | 1k+ | Text Domain Mismatch | ||
| #1223 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | ||
| #1224 | Countdown, Coming Soon, Maintenance – Countdown & Clock | 29 | 1,735 | 143 | 10k+ | Non Singular String Literal Domain | ||
| #1225 | WPCS – WordPress Currency Switcher Professional | 29 | 84 | 358 | 900 | Non-prefixed global variable | ||
| #1226 | Custom Field Template | 29 | 568 | 530 | 30k+ | wp function not compatible with requires wp | ||
| #1227 | DB Cache Reloaded Fix | 29 | 133 | 42 | 2k+ | Output is not escaped | ||
| #1228 | Di Themes Demo Site Importer | 29 | 343 | 183 | 1k+ | Text Domain Mismatch | ||
| #1229 | Display Tweets | 29 | 135 | 135 | 900 | Non-prefixed global variable | ||
| #1230 | Document Gallery | 29 | 183 | 98 | 8k+ | Output is not escaped | ||
| #1231 | DoLogin Security | 29 | 312 | 305 | 7k+ | Output is not escaped | ||
| #1232 | Interactive Image Map Plugin – Draw Attention | 29 | 620 | 227 | 20k+ | Output is not escaped | ||
| #1233 | Everest Toolkit | 29 | 145 | 141 | 1k+ | Missing Translators Comment | ||
| #1234 | Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules | 29 | 185 | 504 | 2k+ | Non-prefixed global variable | ||
| #1235 | FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | 29 | 74 | 78 | 600k+ | Missing Translators Comment | ||
| #1236 | Getwid – Gutenberg Blocks | 29 | 139 | 173 | 50k+ | Non-prefixed global variable | ||
| #1237 | Gianism | 29 | 391 | 154 | 700 | Text Domain Mismatch | ||
| #1238 | reCaptcha by BestWebSoft | 29 | 474 | 272 | 100k+ | Text Domain Mismatch | ||
| #1239 | Easy HTTPS Redirection (SSL) | 29 | 266 | 152 | 100k+ | Unsafe printing function | ||
| #1240 | Interactive World Map | 29 | 684 | 341 | 1k+ | Text Domain Mismatch | ||
| #1241 | Wishlist for WooCommerce | 29 | 610 | 296 | 600 | Output is not escaped | ||
| #1242 | Kits, Templates and Patterns | 29 | 380 | 91 | 5k+ | Text Domain Mismatch | ||
| #1243 | Laposta WooCommerce | 29 | 96 | 115 | 500 | Non-prefixed global variable | ||
| #1244 | Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress | 29 | 86 | 233 | 500 | Nonce verification recommended | ||
| #1245 | miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) | 29 | 92 | 898 | 10k+ | Request data is not unslashed | ||
| #1246 | Music Player for WooCommerce | 29 | 106 | 155 | 1k+ | Non-prefixed global variable | ||
| #1247 | MyWorks Sync for WooCommerce & Xero | 29 | 1 | 1,080 | 800 | Non-prefixed global variable | ||
| #1248 | Offload Media – Cloud Storage | 29 | 126 | 80 | 1k+ | unlink unlink | ||
| #1249 | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | 29 | 80 | 162 | 200k+ | Nonce verification recommended | ||
| #1250 | Page Restrict for WooCommerce | 29 | 579 | 374 | 700 | Text Domain Mismatch |