WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1551 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | |
| #1552 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | |
| #1553 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | |
| #1554 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | |
| #1555 | Payment Button for PayPal | 36 | 155 | 86 | 4k+ | Unsafe printing function | |
| #1556 | WP Responsive Menu | 36 | 296 | 144 | 30k+ | Text Domain Mismatch | |
| #1557 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | |
| #1558 | WP Show Posts | 36 | 107 | 102 | 70k+ | Output is not escaped | |
| #1559 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | |
| #1560 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | |
| #1561 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | |
| #1562 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | |
| #1563 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | |
| #1564 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | |
| #1565 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output is not escaped | |
| #1566 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | |
| #1567 | Zarinpal Gateway | 36 | 151 | 55 | 50k+ | Non Singular String Literal Domain | |
| #1568 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | |
| #1569 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | |
| #1570 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | |
| #1571 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | |
| #1572 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | |
| #1573 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | |
| #1574 | Advanced Media Offloader | 37 | 59 | 93 | 5k+ | error log error log | |
| #1575 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | |
| #1576 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non-prefixed global variable | |
| #1577 | Async JavaScript | 37 | 357 | 79 | 70k+ | Unsafe printing function | |
| #1578 | Custom Thank You Page Customize For WooCommerce by Binary Carpenter | 37 | 45 | 80 | 2k+ | error log error log | |
| #1579 | Before After Image Comparison Slider for Elementor | 37 | 90 | 41 | 10k+ | Text Domain Mismatch | |
| #1580 | Better Click To Share – Shareable Quote Boxes for X (Twitter) | 37 | 170 | 59 | 6k+ | Unsafe printing function | |
| #1581 | Customize WordPress Emails and Alerts – Better Notifications for WP | 37 | 64 | 47 | 30k+ | Missing Arg Domain | |
| #1582 | Booster Extension | 37 | 28 | 289 | 7k+ | Non-prefixed global variable | |
| #1583 | CDEKDelivery | 37 | 98 | 75 | 2k+ | Exception output is not escaped | |
| #1584 | Clearpay Gateway for WooCommerce | 37 | 185 | 63 | 1k+ | Text Domain Mismatch | |
| #1585 | ClickCease Click Fraud Protection | 37 | 30 | 58 | 10k+ | Non-prefixed class | |
| #1586 | Co-Authors Plus | 37 | 20 | 110 | 20k+ | Nonce verification recommended | |
| #1587 | Constant Contact Forms by MailMunch | 37 | 135 | 91 | 2k+ | Output is not escaped | |
| #1588 | CorvusPay WooCommerce Payment Gateway | 37 | 29 | 141 | 1k+ | Missing nonce verification | |
| #1589 | Simple Custom CSS and JS | 37 | 168 | 69 | 600k+ | Output is not escaped | |
| #1590 | Custom CSS Manager | 37 | 55 | 20 | 1k+ | Output is not escaped | |
| #1591 | Custom Post Template | 37 | 48 | 30 | 10k+ | Output is not escaped | |
| #1592 | Debug Log Manager Tool | 37 | 33 | 108 | 3k+ | Nonce verification recommended | |
| #1593 | Comment Cleaner — Bulk Delete & Disable Comments | 37 | 204 | 78 | 20k+ | Non Singular String Literal Domain | |
| #1594 | Duo Two-Factor Authentication | 37 | 44 | 61 | 3k+ | Missing nonce verification | |
| #1595 | Pricing Table WordPress Plugin – Easy Pricing Tables | 37 | 332 | 161 | 10k+ | Output is not escaped | |
| #1596 | Email Encoder – Protect Email Addresses and Phone Numbers | 37 | 10 | 150 | 90k+ | Non-prefixed global variable | |
| #1597 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | |
| #1598 | Facturare WooCommerce | 37 | 158 | 106 | 3k+ | Text Domain Mismatch | |
| #1599 | Favorites | 37 | 204 | 121 | 10k+ | Unsafe printing function | |
| #1600 | Gmail SMTP | 37 | 84 | 73 | 10k+ | Unsafe printing function |
