WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1451 | Stackable – Page Builder Gutenberg Blocks | 31 | 477 | 90 | 100k+ | Non Singular String Literal Domain | ||
| #1452 | Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg | 31 | 459 | 282 | 7k+ | Non Singular String Literal Domain | ||
| #1453 | WP Testimonials | 31 | 183 | 455 | 10k+ | Non-prefixed global variable | ||
| #1454 | Themify Store Locator | 31 | 244 | 125 | 500 | Text Domain Mismatch | ||
| #1455 | Tutor LMS Elementor Addons | 31 | 227 | 453 | 30k+ | Non-prefixed global variable | ||
| #1456 | Big File Uploads – Increase Maximum File Upload Size | 31 | 101 | 92 | 100k+ | Output is not escaped | ||
| #1457 | Ultimate Posts Widget | 31 | 309 | 86 | 10k+ | Output is not escaped | ||
| #1458 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #1459 | Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification | 31 | 288 | 842 | 2k+ | Missing nonce verification | ||
| #1460 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #1461 | Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | 31 | 837 | 295 | 100k+ | Unsafe printing function | ||
| #1462 | WooCommerce Legacy REST API | 31 | 324 | 177 | 400k+ | Missing Translators Comment | ||
| #1463 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #1464 | Worldline Global Online Pay for WooCommerce | 31 | 160 | 86 | 500 | Missing direct file access protection | ||
| #1465 | Discussion Board – WordPress Forum Plugin | 31 | 105 | 153 | 2k+ | Request data is not unslashed | ||
| #1466 | WP Easy Uploader | 31 | 202 | 113 | 600 | Non Singular String Literal Domain | ||
| #1467 | HireZoot – Job Listings, Career Page & Recruitment Tool | 31 | 14 | 555 | 40k+ | Non-prefixed global variable | ||
| #1468 | WP Simple Booking Calendar | 31 | 337 | 380 | 20k+ | Output is not escaped | ||
| #1469 | WP Visitor Statistics (Real Time Traffic) | 31 | 353 | 691 | 20k+ | Nonce verification recommended | ||
| #1470 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #1471 | Hosting Benchmark tool | 31 | 202 | 115 | 4k+ | rand rand | ||
| #1472 | One to one user Chat by WPGuppy | 31 | 74 | 187 | 700 | Non-prefixed global variable | ||
| #1473 | WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite | 31 | 133 | 438 | 600 | Non-prefixed global variable | ||
| #1474 | YAHMAN Add-ons | 31 | 468 | 141 | 1k+ | Output is not escaped | ||
| #1475 | YML for Yandex Market | 31 | 37 | 293 | 10k+ | Non-prefixed global variable | ||
| #1476 | Zendesk Support for WordPress | 31 | 195 | 88 | 2k+ | Output is not escaped | ||
| #1477 | ACME Divi Modules | 32 | 573 | 35 | 400 | Text Domain Mismatch | ||
| #1478 | ActiveDEMAND | 32 | 157 | 161 | 1k+ | Output is not escaped | ||
| #1479 | Affiliate Coupons – Coupon Display Manager – Excellent Tool for Affiliate Marketers | 32 | 183 | 61 | 1k+ | Output is not escaped | ||
| #1480 | All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier | 32 | 325 | 102 | 600 | Missing Arg Domain | ||
| #1481 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1482 | Aqua Page Builder | 32 | 320 | 114 | 3k+ | Output is not escaped | ||
| #1483 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1484 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #1485 | Better Chat Support for Messenger | 32 | 73 | 103 | 1k+ | Interpolated SQL is not prepared | ||
| #1486 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 32 | 55 | 83 | 5k+ | error log error log | ||
| #1487 | Bosa Elementor Addons and Templates for WooCommerce | 32 | 40 | 165 | 20k+ | slow db query tax query | ||
| #1488 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | ||
| #1489 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1490 | Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler | 32 | 147 | 319 | 400 | Direct Query | ||
| #1491 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #1492 | Code Manager | 32 | 217 | 261 | 500 | Nonce verification recommended | ||
| #1493 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1494 | Color and Image Swatches for Variable Product Attributes | 32 | 173 | 111 | 1k+ | Output is not escaped | ||
| #1495 | Ultimate WooCommerce Filters | 32 | 322 | 207 | 600 | Unsafe printing function | ||
| #1496 | Contact Form Block | 32 | 64 | 77 | 500 | Non Singular String Literal Domain | ||
| #1497 | Contact Form Builder by vcita | 32 | 666 | 174 | 700 | Text Domain Mismatch | ||
| #1498 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #1499 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #1500 | Currency Switcher for WooCommerce | 32 | 357 | 263 | 10k+ | Text Domain Mismatch |