PluginScore

WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

References

WordPress validating, sanitizing, and escapingWordPress nonces

Affected Plugins

RankPluginScoreErrorsWarningsInstallsUpdatedTop Issue
#101SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager227038418k+Non Prefixed Variable Found
#102Download Manager222,2901,301100k+Output Not Escaped
#103Dynamic QR Code – generator222382086k+missing direct file access protection
#104Easy Social Feed – Social Photos Gallery and Post Feed for WordPress221,5671,27730k+Non Prefixed Variable Found
#105EleSpare – News, Magazine and Blog Addons for Elementor227331,42310k+Non Prefixed Variable Found
#106Estatik Real Estate Plugin223,04932510k+Text Domain Mismatch
#107Events Manager – Calendar, Bookings, Tickets, and more!224,7225,62170k+Output Not Escaped
#108File Manager Pro – Filester22565391100k+Missing Unslash
#109Finale Lite – Sales Countdown Timer & Discount for WooCommerce221,0314514k+Output Not Escaped
#110FireBox Popups – Increase Sales and Grow Your Email List221538127k+Non Prefixed Variable Found
#111Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar221,3211,3713k+Non Prefixed Variable Found
#112Five Star Restaurant Menu and Food Ordering227526095k+Output Not Escaped
#113GeoDirectory – WP Business Directory Plugin and Classified Listings Directory224,4623,97210k+Output Not Escaped
#114Anti-Malware Security and Brute-Force Firewall22544965100k+Output Not Escaped
#115Gutenberg22628342300k+missing direct file access protection
#116Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms221,03772220k+Unsafe Printing Function
#117HeadSpace2 SEO229403603k+Text Domain Mismatch
#118Csomagpontok és Címkék WooCommerce-hez222,0017697k+Text Domain Mismatch
#119IMPress for IDX Broker221,0856367k+Text Domain Mismatch
#120Számlázz.hu integráció WooCommerce-hez221,1694607k+Text Domain Mismatch
#121InfiniteWP Client222,2861,812200k+Exception Not Escaped
#122Import WP – Export and Import CSV and XML files to WordPress225803304k+Exception Not Escaped
#123LearnPress – WordPress LMS Plugin for Create and Sell Online Courses222,3613,38470k+Non Prefixed Variable Found
#124MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc.222,6192,45310k+Output Not Escaped
#125Modula Image Gallery – Photo Grid & Video Gallery22474436100k+Text Domain Mismatch
#126Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress229191,23010k+Output Not Escaped
#127Motors – Car Dealership & Classified Listings Plugin225,3405,9589k+Text Domain Mismatch
#128NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall221,2652,065100k+Non Prefixed Variable Found
#129NinjaScanner – Virus & Malware scan2259655130k+Non Prefixed Variable Found
#130PagBank / PagSeguro Connect para WooCommerce225047434k+Non Prefixed Variable Found
#131Smart Popup by Supsystic223,17250310k+Non Singular String Literal Domain
#132Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App221,5812,326300k+Non Prefixed Variable Found
#133Prime Mover – Migrate WordPress Website & Backups221,3261,60010k+Non Prefixed Variable Found
#134Product Catalog Feed by PixelYourSite225813578k+Output Not Escaped
#135PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP229844075k+Unsafe Printing Function
#136Restrict User Access – Ultimate Membership & Content Protection229771,84010k+Non Prefixed Variable Found
#137Social Sharing Plugin – Sassy Social Share221,689233100k+wp function not compatible with requires wp
#138Seraphinite Accelerator2259425550k+Output Not Escaped
#139ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF221,044799300k+Non Prefixed Variable Found
#140Simple Job Board226341,35510k+Non Prefixed Variable Found
#141SNS Count Cache229181208k+Non Singular String Literal Domain
#142NextScripts: Social Networks Auto-Poster222,4081,13330k+Output Not Escaped
#143SSL Zen — SSL Certificate Installer & HTTPS Redirects227791,57510k+Non Prefixed Variable Found
#144Stylish Price List – Price Table Builder & QR Code Restaurant Menu226746783k+Output Not Escaped
#145Swift Performance Lite222,3461,3257k+Text Domain Mismatch
#146Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent222255198k+error log error log
#147Tag Groups is the Advanced Way to Display Your Taxonomy Terms225754653k+Unsafe Printing Function
#148Theme Editor2279868550k+Output Not Escaped
#149ThemeHunk Customizer223,9695827k+Text Domain Mismatch
#150Customize Feeds for Twitter22921714k+Non Prefixed Variable Found