WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1401 | Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional) | 31 | 113 | 233 | 2k+ | Non-prefixed namespace | ||
| #1402 | Download Plugin | 31 | 78 | 102 | 60k+ | Output is not escaped | ||
| #1403 | Up2pay e-Transactions WooCommerce Payment Gateway | 31 | 459 | 175 | 4k+ | Text Domain Mismatch | ||
| #1404 | Easy Upload Files During Checkout | 31 | 220 | 208 | 500 | Unsafe printing function | ||
| #1405 | EnvoThemes Demo Import | 31 | 221 | 140 | 3k+ | Output is not escaped | ||
| #1406 | Export Order Items for WooCommerce | 31 | 100 | 108 | 1k+ | Text Domain Mismatch | ||
| #1407 | Express Checkout via PayPal for WooCommerce | 31 | 158 | 200 | 800 | Nonce verification recommended | ||
| #1408 | افزونه پیامک حرفه ای فراز اس ام اس | 31 | 89 | 180 | 2k+ | wp function not compatible with requires wp | ||
| #1409 | FastDup – Fastest WordPress Migration & Duplicator | 31 | 83 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #1410 | Form Vibes – Database Manager for Forms | 31 | 176 | 284 | 10k+ | Text Domain Mismatch | ||
| #1411 | FraudLabs Pro for WooCommerce | 31 | 169 | 213 | 1k+ | Request data is not unslashed | ||
| #1412 | g-FFL Checkout | 31 | 249 | 300 | 600 | Request data is not unslashed | ||
| #1413 | WP Gravity Forms Constant Contact Plugin | 31 | 684 | 164 | 600 | Text Domain Mismatch | ||
| #1414 | GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets | 31 | 402 | 156 | 1k+ | Text Domain Mismatch | ||
| #1415 | HFD ePost Integration | 31 | 186 | 110 | 1k+ | Text Domain Mismatch | ||
| #1416 | OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. | 31 | 213 | 62 | 300k+ | Output is not escaped | ||
| #1417 | Image Hotspot – Map Image Annotation | 31 | 95 | 287 | 3k+ | Non-prefixed global variable | ||
| #1418 | ImgSEO – AI Image Alt Text Generator & Image SEO Tools | 31 | 1 | 677 | 400 | Direct Query | ||
| #1419 | Interactive Image Map Builder | 31 | 160 | 381 | 1k+ | Non-prefixed global variable | ||
| #1420 | Kindeditor For WordPress | 31 | 63 | 130 | 500 | Non-prefixed global variable | ||
| #1421 | Linguise – AI Automatic Multilingual Translation | 31 | 61 | 284 | 1k+ | Non-prefixed global variable | ||
| #1422 | Keywords to Links Converter | 31 | 288 | 144 | 700 | Text Domain Mismatch | ||
| #1423 | Login rebuilder | 31 | 406 | 226 | 20k+ | Non Singular String Literal Domain | ||
| #1424 | Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | 31 | 122 | 131 | 2k+ | Output is not escaped | ||
| #1425 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | ||
| #1426 | Mailgun for WordPress | 31 | 144 | 78 | 80k+ | Unsafe printing function | ||
| #1427 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #1428 | Melapress Login Security | 31 | 69 | 278 | 2k+ | Non-prefixed global variable | ||
| #1429 | Openpay Cards Plugin | 31 | 166 | 105 | 3k+ | Text Domain Mismatch | ||
| #1430 | PanoPress | 31 | 111 | 234 | 2k+ | Output is not escaped | ||
| #1431 | Patreon WordPress | 31 | 276 | 339 | 3k+ | Output is not escaped | ||
| #1432 | PayKeeper Payment Gateway for WooCommerce | 31 | 113 | 44 | 400 | Non Singular String Literal Domain | ||
| #1433 | افزونه پیامک ووکامرس Persian WooCommerce SMS | 31 | 72 | 269 | 40k+ | Nonce verification recommended | ||
| #1434 | Podamibe Simple Footer Widget Area | 31 | 596 | 57 | 2k+ | wp function not compatible with requires wp | ||
| #1435 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #1436 | Portfolio, Gallery, Product Catalog – Grid KIT Portfolio | 31 | 61 | 329 | 6k+ | Non-prefixed global variable | ||
| #1437 | Post Pay Counter | 31 | 639 | 238 | 1k+ | Output is not escaped | ||
| #1438 | Product Configurator for WooCommerce | 31 | 41 | 557 | 3k+ | Non-prefixed hook name | ||
| #1439 | Active Products Tables for WooCommerce. Use constructor to create tables | 31 | 364 | 424 | 1k+ | Output is not escaped | ||
| #1440 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #1441 | Query Monitor | 31 | 44 | 273 | 200k+ | Non-prefixed class | ||
| #1442 | Raffle Play Woocommerce | 31 | 151 | 199 | 800 | Output is not escaped | ||
| #1443 | Re:amaze Helpdesk & Live Chat | 31 | 96 | 115 | 400 | Output is not escaped | ||
| #1444 | reCAPTCHA in WP comments form | 31 | 264 | 60 | 8k+ | Output is not escaped | ||
| #1445 | Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg) | 31 | 460 | 201 | 30k+ | Non Singular String Literal Domain | ||
| #1446 | Coming Soon Page & Maintenance Mode | 31 | 613 | 266 | 3k+ | Text Domain Mismatch | ||
| #1447 | Social Share Buttons | 31 | 462 | 156 | 1k+ | Text Domain Mismatch | ||
| #1448 | Simple calendar for Elementor | 31 | 125 | 270 | 500 | Direct Query | ||
| #1449 | Page Builder by SiteOrigin | 31 | 226 | 214 | 400k+ | Output is not escaped | ||
| #1450 | Slider Carousel – Image Slider | 31 | 224 | 1,233 | 3k+ | Request data is not unslashed |