WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1651 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 10k+ | Text Domain Mismatch | ||
| #1652 | Piraeus Bank WooCommerce Payment Gateway | 37 | 146 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #1653 | Viva Payments – Viva Wallet WooCommerce Payment Gateway | 37 | 33 | 33 | 1k+ | curl curl setopt | ||
| #1654 | SUMIT Payment Gateway for WooCommerce | 37 | 358 | 74 | 1k+ | Text Domain Mismatch | ||
| #1655 | Variation Swatches for WooCommerce | 37 | 92 | 103 | 10k+ | Output is not escaped | ||
| #1656 | Xendit Payment | 37 | 3 | 197 | 3k+ | Missing nonce verification | ||
| #1657 | Amazon Pay for WooCommerce | 37 | 29 | 117 | 20k+ | Non-prefixed class | ||
| #1658 | WP WooCommerce Mailchimp | 37 | 62 | 85 | 6k+ | Non-prefixed hook name | ||
| #1659 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #1660 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #1661 | WP-Cron Control | 37 | 54 | 22 | 1k+ | Output is not escaped | ||
| #1662 | WP FullCalendar | 37 | 32 | 64 | 8k+ | Nonce verification recommended | ||
| #1663 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #1664 | ReCaptcha Integration for WordPress | 37 | 60 | 66 | 9k+ | Output is not escaped | ||
| #1665 | WPO365 | MICROSOFT 365 GRAPH MAILER | 37 | 112 | 83 | 10k+ | Text Domain Mismatch | ||
| #1666 | WP VR – 360 Panorama and Virtual Tour Builder | 37 | 3 | 275 | 10k+ | Non-prefixed hook name | ||
| #1667 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #1668 | Zoho Marketing Automation | 37 | 24 | 194 | 1k+ | Non-prefixed global variable | ||
| #1669 | Zendesk Chat | 37 | 44 | 67 | 10k+ | Output is not escaped | ||
| #1670 | Accessibility | 38 | 66 | 61 | 1k+ | Non-prefixed global variable | ||
| #1671 | AccessibleWP – Accessibility Toolbar | 38 | 381 | 26 | 20k+ | Text Domain Mismatch | ||
| #1672 | Parallax Scroll by adamrob.co.uk | 38 | 102 | 51 | 1k+ | Output is not escaped | ||
| #1673 | Add Customer for WooCommerce | 38 | 229 | 153 | 1k+ | Text Domain Mismatch | ||
| #1674 | Admin Bar Editor – Toolbar Customization with User Role based access & Custom menus | 38 | 56 | 46 | 3k+ | Output is not escaped | ||
| #1675 | Admin Bar & Dashboard Access Control | 38 | 94 | 37 | 3k+ | Text Domain Mismatch | ||
| #1676 | Admin Management Xtended | 38 | 280 | 161 | 5k+ | Output is not escaped | ||
| #1677 | AWCA – The Great Analytics Insights for Your eStore | 38 | 238 | 143 | 2k+ | Output is not escaped | ||
| #1678 | Advanced Product Search For WooCommerce | 38 | 160 | 38 | 4k+ | Text Domain Mismatch | ||
| #1679 | Advanced Sermons | 38 | 833 | 184 | 1k+ | Unsafe printing function | ||
| #1680 | Afterpay Gateway for WooCommerce | 38 | 183 | 62 | 10k+ | Text Domain Mismatch | ||
| #1681 | Announce from the Dashboard | 38 | 138 | 24 | 7k+ | Non Singular String Literal Domain | ||
| #1682 | Announcement Bar | 38 | 192 | 61 | 3k+ | Non Singular String Literal Domain | ||
| #1683 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #1684 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #1685 | Ashe Extra | 38 | 109 | 54 | 3k+ | Text Domain Mismatch | ||
| #1686 | Attachments | 38 | 238 | 66 | 8k+ | Unsafe printing function | ||
| #1687 | Author Category | 38 | 85 | 25 | 4k+ | Output is not escaped | ||
| #1688 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #1689 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #1690 | Bible Verse of the Day | 38 | 378 | 23 | 4k+ | Unsafe printing function | ||
| #1691 | SoftTech-IT bKash, Rocket, Nagad | 38 | 164 | 81 | 6k+ | Text Domain Mismatch | ||
| #1692 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped | ||
| #1693 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #1694 | Bulgarisation for WooCommerce | 38 | 122 | 587 | 5k+ | Nonce verification recommended | ||
| #1695 | Cecabank WooCommerce Plugin | 38 | 63 | 32 | 3k+ | Text Domain Mismatch | ||
| #1696 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification | ||
| #1697 | WPAppsDev – CF7 Form Submission Limit | 38 | 104 | 33 | 1k+ | Text Domain Mismatch | ||
| #1698 | Contact Form 7 – Post Fields | 38 | 167 | 25 | 3k+ | Text Domain Mismatch | ||
| #1699 | Checkout Files Upload for WooCommerce | 38 | 57 | 120 | 7k+ | Input is not sanitized | ||
| #1700 | CMS Tree Page View | 38 | 135 | 104 | 50k+ | Output is not escaped |
