WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1351 | Waitlist Woocommerce ( Back in stock notifier ) | 30 | 272 | 311 | 4k+ | Output is not escaped | ||
| #1352 | Checkout with Cash App on WooCommerce | 30 | 122 | 308 | 2k+ | Non-prefixed global variable | ||
| #1353 | Dropify | 30 | 130 | 252 | 2k+ | Nonce verification recommended | ||
| #1354 | Webling | 30 | 147 | 313 | 500 | Input is not validated | ||
| #1355 | Widgetize Pages Light | 30 | 145 | 104 | 3k+ | Output is not escaped | ||
| #1356 | WonderPush – Web Push Notifications – WooCommerce Abandoned Cart – GDPR | 30 | 152 | 192 | 600 | Missing direct file access protection | ||
| #1357 | Delivery & Pickup Date Time for WooCommerce | 30 | 439 | 435 | 5k+ | Non-prefixed global variable | ||
| #1358 | FOX – Currency Switcher Professional for WooCommerce | 30 | 211 | 1,022 | 50k+ | Non-prefixed global variable | ||
| #1359 | WooPayments: Integrated WooCommerce Payments | 30 | 182 | 308 | 900k+ | Exception output is not escaped | ||
| #1360 | WooCommerce Tax (formerly WooCommerce Shipping & Tax) | 30 | 103 | 198 | 600k+ | Non-prefixed class | ||
| #1361 | WP 2FA – Two-factor authentication for WordPress | 30 | 269 | 380 | 100k+ | Exception output is not escaped | ||
| #1362 | WP Admin UI Customize | 30 | 629 | 390 | 30k+ | Non-prefixed global variable | ||
| #1363 | WP Docs | 30 | 268 | 271 | 1k+ | Output is not escaped | ||
| #1364 | remarketable | 30 | 281 | 93 | 600 | Output is not escaped | ||
| #1365 | WP Inventory Manager | 30 | 856 | 233 | 1k+ | Output is not escaped | ||
| #1366 | Photo Gallery Slideshow & Masonry Tiled Gallery | 30 | 806 | 352 | 1k+ | Output is not escaped | ||
| #1367 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | Unsafe printing function | ||
| #1368 | WPS Cleaner | 30 | 430 | 491 | 20k+ | Output is not escaped | ||
| #1369 | WPZOOM Addons for Beaver Builder | 30 | 2,216 | 152 | 4k+ | Text Domain Mismatch | ||
| #1370 | Yaad Sarig Payment Gateway For WC | 30 | 158 | 271 | 2k+ | Nonce verification recommended | ||
| #1371 | YASR – Yet Another Star Rating Plugin for WordPress | 30 | 252 | 378 | 10k+ | Output is not escaped | ||
| #1372 | zahls.ch Credit Cards, PostFinance and TWINT for WooCommerce | 30 | 121 | 265 | 3k+ | Non-prefixed global variable | ||
| #1373 | Zoho CRM Lead Magnet | 30 | 101 | 1,025 | 3k+ | Request data is not unslashed | ||
| #1374 | a3 Lazy Load | 31 | 83 | 240 | 90k+ | Dynamic hook name | ||
| #1375 | ActiveCampaign – The autonomous marketing platform | 31 | 235 | 98 | 40k+ | Output is not escaped | ||
| #1376 | AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization | 31 | 91 | 133 | 2k+ | Output is not escaped | ||
| #1377 | Extra Product Options Builder for WooCommerce | 31 | 113 | 194 | 2k+ | Non-prefixed global variable | ||
| #1378 | Advanced Category Excluder | 31 | 349 | 160 | 700 | Output is not escaped | ||
| #1379 | Advanced Woo Search – Product Search for WooCommerce | 31 | 228 | 377 | 70k+ | Nonce verification recommended | ||
| #1380 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #1381 | Apaczka.pl WooCommerce | 31 | 99 | 276 | 1k+ | Non-prefixed global variable | ||
| #1382 | Asgaros Forum | 31 | 167 | 412 | 10k+ | Output is not escaped | ||
| #1383 | The SEO Framework – Fast, Automated, Effortless. | 31 | 363 | 609 | 200k+ | Non-prefixed global variable | ||
| #1384 | AI ChatBot with ChatGPT and Content Generator by AYS | 31 | 170 | 378 | 400 | Non-prefixed global variable | ||
| #1385 | SEO合集(支持百度/Google/Bing/头条推送) | 31 | 13 | 1,407 | 800 | Direct Query | ||
| #1386 | Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam | 31 | 598 | 70 | 700 | Text Domain Mismatch | ||
| #1387 | Яндекс Доставка (Boxberry) | 31 | 46 | 150 | 600 | Missing nonce verification | ||
| #1388 | Buy Me a Coffee – Button and Widget Plugin | 31 | 138 | 140 | 6k+ | Output is not escaped | ||
| #1389 | CashBill.pl – Płatności WooCommerce | 31 | 181 | 101 | 900 | Output is not escaped | ||
| #1390 | České služby pro WordPress | 31 | 95 | 139 | 1k+ | Output is not escaped | ||
| #1391 | cformsII | 31 | 777 | 536 | 4k+ | Unsafe printing function | ||
| #1392 | Newsletter Sign-Up for CleverReach | 31 | 174 | 72 | 2k+ | Output is not escaped | ||
| #1393 | CleverReach® WP | 31 | 103 | 93 | 4k+ | Non-prefixed global variable | ||
| #1394 | Co-marquage service-public.fr | 31 | 84 | 213 | 1k+ | Non-prefixed global variable | ||
| #1395 | Codeless Page Builder | 31 | 415 | 258 | 900 | Text Domain Mismatch | ||
| #1396 | Colorbox Panels & Info Box | 31 | 392 | 182 | 1k+ | Non Singular String Literal Domain | ||
| #1397 | Compliance by Hu-manity.co | 31 | 153 | 335 | 900k+ | Missing nonce verification | ||
| #1398 | Counter Number Showcase, Fun Facts – WordPress Animated Counter Plugin | 31 | 255 | 170 | 10k+ | Non Singular String Literal Domain | ||
| #1399 | Crowdfundly | 31 | 594 | 402 | 600 | Output is not escaped | ||
| #1400 | DirectoryPress Frontend | 31 | 402 | 563 | 800 | Non-prefixed global variable |