WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1301 | Colete-Online | 30 | 776 | 346 | 600 | Text Domain Mismatch | ||
| #1302 | ContentBot AI Writer (AI Content) | 30 | 317 | 69 | 500 | rand rand | ||
| #1303 | Cryptocurrency Donation Box – Bitcoin & Crypto Donations | 30 | 334 | 284 | 500 | Output is not escaped | ||
| #1304 | DethemeKit for Elementor | 30 | 335 | 228 | 30k+ | Output is not escaped | ||
| #1305 | EDI – Обмен данными между WooCommerce и 1С | 30 | 284 | 101 | 600 | Text Domain Mismatch | ||
| #1306 | Easy Affiliate Links | 30 | 186 | 198 | 7k+ | Missing direct file access protection | ||
| #1307 | EasyParcel Shipping– All-in-one Shipping Solution, Real-Time Shipping Rates | 30 | 31 | 610 | 600 | Non-prefixed global variable | ||
| #1308 | Edwiser Bridge – WordPress Moodle Integration | 30 | 4 | 669 | 4k+ | Non-prefixed hook name | ||
| #1309 | Element Invader – Template Kits for Elementor | 30 | 274 | 130 | 3k+ | Output is not escaped | ||
| #1310 | Email Templates Customizer and Designer for WordPress and WooCommerce | 30 | 250 | 349 | 20k+ | Non-prefixed global variable | ||
| #1311 | Epeken All Kurir for Woocommerce | 30 | 590 | 1,246 | 500 | Missing nonce verification | ||
| #1312 | Eway Payment Gateway | 30 | 509 | 92 | 800 | Missing Translators Comment | ||
| #1313 | Exclusive Addons for Elementor | 30 | 3,630 | 263 | 50k+ | Text Domain Mismatch | ||
| #1314 | Export Plugins and Templates | 30 | 143 | 33 | 1k+ | file system operations fread | ||
| #1315 | PiWeb Export Customers Users & Guest customer to CSV for WooCommerce | 30 | 173 | 75 | 1k+ | Text Domain Mismatch | ||
| #1316 | FormLift for Keap (Legacy) Web Forms | 30 | 162 | 315 | 400 | Request data is not unslashed | ||
| #1317 | Formzu WP | 30 | 167 | 163 | 3k+ | Text Domain Mismatch | ||
| #1318 | Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant | 30 | 264 | 221 | 4k+ | Non Singular String Literal Text | ||
| #1319 | GlobalPayments Gateway Provider for WooCommerce | 30 | 611 | 170 | 1k+ | Text Domain Mismatch | ||
| #1320 | Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer | 30 | 80 | 434 | 4k+ | Interpolated SQL is not prepared | ||
| #1321 | Invisible reCaptcha for WordPress | 30 | 90 | 185 | 80k+ | Input is not sanitized | ||
| #1322 | core plugin for kitestudio themes | 30 | 244 | 415 | 500 | Nonce verification recommended | ||
| #1323 | Midtrans-WooCommerce | 30 | 112 | 132 | 5k+ | Non-prefixed global variable | ||
| #1324 | Naver webmaster syndication v2 | 30 | 89 | 129 | 500 | Output is not escaped | ||
| #1325 | Nova Blocks by Pixelgrade | 30 | 206 | 112 | 800 | Output is not escaped | ||
| #1326 | Novelist | 30 | 475 | 158 | 1k+ | Output is not escaped | ||
| #1327 | OoohBoi Steroids for Elementor | 30 | 2,059 | 100 | 40k+ | Text Domain Mismatch | ||
| #1328 | Operation Demo Importer – Demo Importer For WPoperation Themes | 30 | 245 | 104 | 1k+ | Text Domain Mismatch | ||
| #1329 | PayU CommercePro Plugin | 30 | 95 | 270 | 7k+ | Text Domain Mismatch | ||
| #1330 | گرویتی فرم فارسی | 30 | 205 | 157 | 20k+ | Text Domain Mismatch | ||
| #1331 | Pixelgrade Assistant | 30 | 1,350 | 153 | 2k+ | Text Domain Mismatch | ||
| #1332 | Popularis Extra | 30 | 237 | 141 | 7k+ | Output is not escaped | ||
| #1333 | Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget | 30 | 231 | 102 | 1k+ | Non Singular String Literal Domain | ||
| #1334 | Pre-Orders for WooCommerce | 30 | 568 | 261 | 7k+ | Output is not escaped | ||
| #1335 | Sync Master Sheet – Product Sync with Google Sheet for WooCommerce | 30 | 136 | 300 | 400 | Non-prefixed global variable | ||
| #1336 | Pubjet | پابجت | 30 | 91 | 172 | 1k+ | Output is not escaped | ||
| #1337 | Realbig For WordPress | 30 | 36 | 591 | 1k+ | Non-prefixed global variable | ||
| #1338 | Responsive Addons for Elementor – Free Elementor Addons, Kits and Elementor Templates | 30 | 60 | 387 | 3k+ | Non-prefixed global variable | ||
| #1339 | Rublon Multi-Factor Authentication (MFA) | 30 | 216 | 160 | 500 | Output is not escaped | ||
| #1340 | StoreBuild – Online Store Builder for WooCommerce | 30 | 120 | 211 | 600 | Non-prefixed global variable | ||
| #1341 | Sina Extension for Elementor | 30 | 3,691 | 160 | 40k+ | Text Domain Mismatch | ||
| #1342 | SMTP for Amazon SES – YaySMTP | 30 | 197 | 122 | 3k+ | Exception output is not escaped | ||
| #1343 | Subscriptions for WooCommerce | 30 | 1 | 1,190 | 10k+ | Non-prefixed global variable | ||
| #1344 | Taboola | 30 | 89 | 147 | 1k+ | Output is not escaped | ||
| #1345 | Tabs Responsive – With WooCommerce Product Tabs Extension | 30 | 575 | 255 | 20k+ | Non Singular String Literal Domain | ||
| #1346 | Themify Portfolio Post | 30 | 214 | 102 | 30k+ | Text Domain Mismatch | ||
| #1347 | Travelers' Map | 30 | 311 | 155 | 1k+ | Output is not escaped | ||
| #1348 | Tutor LMS Divi Modules | 30 | 420 | 722 | 1k+ | Non-prefixed global variable | ||
| #1349 | Urvanov Syntax Highlighter | 30 | 221 | 87 | 3k+ | Output is not escaped | ||
| #1350 | User Access Manager | 30 | 393 | 171 | 10k+ | Output is not escaped |