WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1251 | Page Restrict for WooCommerce | 29 | 579 | 374 | 700 | Text Domain Mismatch | ||
| #1252 | Page View Count | 29 | 108 | 247 | 10k+ | Dynamic hook name | ||
| #1253 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | ||
| #1254 | PlatiOnline Payments | 29 | 304 | 110 | 700 | Output is not escaped | ||
| #1255 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #1256 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non-prefixed global variable | ||
| #1257 | Responder | 29 | 77 | 185 | 3k+ | Non-prefixed global variable | ||
| #1258 | SamedayCourier Shipping | 29 | 336 | 269 | 4k+ | Non Singular String Literal Domain | ||
| #1259 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | ||
| #1260 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 148 | 246 | 5k+ | Unsafe printing function | ||
| #1261 | Slider by BestWebSoft | 29 | 478 | 336 | 400 | Text Domain Mismatch | ||
| #1262 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #1263 | BuddyPress Builder for Elementor – BuddyBuilder | 29 | 348 | 329 | 1k+ | Text Domain Mismatch | ||
| #1264 | ووسلام – همگام سازی ووکامرس و باسلام | 29 | 192 | 611 | 4k+ | Non-prefixed global variable | ||
| #1265 | Themify Popup | 29 | 232 | 108 | 8k+ | Text Domain Mismatch | ||
| #1266 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output is not escaped | ||
| #1267 | Tilda-publishing | 29 | 219 | 78 | 700 | Output is not escaped | ||
| #1268 | Post Grid Gutenberg Blocks – PostX | 29 | 135 | 404 | 40k+ | Non-prefixed global variable | ||
| #1269 | Ultimate Auction for WooCommerce – Excellent WP Auction Plugin | 29 | 52 | 523 | 2k+ | Non-prefixed global variable | ||
| #1270 | User Verification by PickPlugins | 29 | 41 | 314 | 5k+ | Request data is not unslashed | ||
| #1271 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #1272 | Wenprise Alipay Gateway For WooCommerce | 29 | 113 | 68 | 700 | Exception output is not escaped | ||
| #1273 | Widget for Yelp Reviews | 29 | 147 | 158 | 2k+ | Output is not escaped | ||
| #1274 | Product Carousel Slider & Grid Ultimate for WooCommerce | 29 | 719 | 122 | 6k+ | Text Domain Mismatch | ||
| #1275 | Sofortueberweisung Gateway for Woocommerce | 29 | 104 | 71 | 700 | Output is not escaped | ||
| #1276 | Global Payments SecureSubmit Gateway | 29 | 199 | 443 | 600 | Non-prefixed class | ||
| #1277 | Woostify Sites Library | 29 | 229 | 198 | 20k+ | Text Domain Mismatch | ||
| #1278 | WP Popular Posts | 29 | 77 | 300 | 100k+ | Non-prefixed global variable | ||
| #1279 | WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics | 29 | 118 | 128 | 5k+ | Output is not escaped | ||
| #1280 | WP Magazine Modules Lite | 29 | 152 | 674 | 5k+ | Non-prefixed global variable | ||
| #1281 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output is not escaped | ||
| #1282 | WP Subscribe | 29 | 79 | 79 | 8k+ | Non-prefixed class | ||
| #1283 | WPComplete | 29 | 383 | 333 | 1k+ | Output is not escaped | ||
| #1284 | Xagio SEO – AI Powered SEO | 29 | 2 | 1,273 | 10k+ | Direct Query | ||
| #1285 | XML for Google Merchant Center | 29 | 52 | 312 | 3k+ | Non-prefixed global variable | ||
| #1286 | Xpro Addons — 140+ Widgets for Elementor | 29 | 27 | 826 | 30k+ | Non-prefixed global variable | ||
| #1287 | Dynamic Pricing With Discount Rules for WooCommerce | 30 | 136 | 131 | 5k+ | Output is not escaped | ||
| #1288 | PublishPress Blocks – Block Controls, Block Visibility, Block Permissions | 30 | 251 | 340 | 20k+ | Unsafe printing function | ||
| #1289 | Aitasi Coming Soon | 30 | 516 | 186 | 1k+ | Output is not escaped | ||
| #1290 | Analytics Insights – Google Analytics Dashboard for WordPress | 30 | 241 | 170 | 10k+ | Unsafe printing function | ||
| #1291 | ApplyOnline – Application Form Builder and Manager | 30 | 345 | 244 | 2k+ | Output is not escaped | ||
| #1292 | Contact Form 7 Connector | 30 | 324 | 196 | 5k+ | Text Domain Mismatch | ||
| #1293 | Arile Extra | 30 | 537 | 570 | 10k+ | Non-prefixed global variable | ||
| #1294 | aThemes Starter Sites | 30 | 262 | 195 | 40k+ | Text Domain Mismatch | ||
| #1295 | AutoWP – AI Content Writer & Rewriter | 30 | 548 | 370 | 1k+ | Text Domain Mismatch | ||
| #1296 | Private groups | 30 | 583 | 316 | 1k+ | Unsafe printing function | ||
| #1297 | Blockons – Gutenberg blocks for WordPress and WooCommerce websites | 30 | 69 | 205 | 700 | Non-prefixed global variable | ||
| #1298 | BrightEdge Autopilot | 30 | 108 | 31 | 500 | curl curl setopt | ||
| #1299 | Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster | 30 | 306 | 434 | 30k+ | Non-prefixed global variable | ||
| #1300 | Classic Addons – WPBakery Page Builder | 30 | 1,245 | 263 | 3k+ | Text Domain Mismatch |