WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1801 | Bing URL Submissions Plugin | 74 | 10 | 38 | 40k+ | error log error log | |
| #1802 | Custom Icons for Elementor and WPBakery | 74 | 35 | 38 | 10k+ | Non Prefixed Variable Found | |
| #1803 | Free Shipping Label and Progress Bar for WooCommerce | 74 | 60 | 5k+ | Non Prefixed Hookname Found | ||
| #1804 | IndexNow Plugin | 74 | 14 | 29 | 100k+ | error log error log | |
| #1805 | Keon Toolset | 74 | 4 | 28 | 30k+ | Non Prefixed Function Found | |
| #1806 | Plugin Notes Plus | 74 | 2 | 42 | 9k+ | Non Prefixed Hookname Found | |
| #1807 | Site Mailer – SMTP Replacement, Email API Deliverability & Email Log | 74 | 8 | 23 | 200k+ | Output Not Escaped | |
| #1808 | Widgets in Menu for WordPress | 74 | 16 | 12 | 8k+ | Text Domain Mismatch | |
| #1809 | Force Login | 74 | 5 | 8 | 30k+ | Output Not Escaped | |
| #1810 | Admin Locale | 75 | 12 | 10 | 7k+ | Missing Arg Domain | |
| #1811 | Custom Adobe Fonts (Typekit) | 75 | 11 | 33 | 60k+ | Non Prefixed Variable Found | |
| #1812 | Hide Categories and Products for Woocommerce | 75 | 1 | 20 | 10k+ | Input Not Sanitized | |
| #1813 | Matterport Shortcode | 75 | 21 | 30 | 3k+ | Text Domain Mismatch | |
| #1814 | Simple Taxonomy Ordering | 75 | 7 | 10 | 20k+ | Direct Query | |
| #1815 | Custom Product Tabs Lite for WooCommerce | 75 | 3 | 11 | 4k+ | Input Not Validated | |
| #1816 | Search Regex | 76 | 6 | 25 | 100k+ | Direct Query | |
| #1817 | WEN Featured Image | 76 | 1 | 18 | 3k+ | Input Not Validated | |
| #1818 | Custom HTML Block Extension | 77 | 8 | 13 | 7k+ | missing direct file access protection | |
| #1819 | Toggle wpautop | 77 | 4 | 15 | 9k+ | trademarked term | |
| #1820 | Forget About Shortcode Buttons | 78 | 11 | 25 | 20k+ | missing direct file access protection | |
| #1821 | RSS Includes Pages | 78 | 4 | 8 | 10k+ | Output Not Escaped | |
| #1822 | Import / Export Customizer Settings | 79 | 5 | 13 | 50k+ | Input Not Sanitized | |
| #1823 | Exclude Pages From Menu | 79 | 6 | 11 | 8k+ | Non Prefixed Function Found | |
| #1824 | Qi Addons For Elementor | 79 | 33 | 339 | 200k+ | Non Prefixed Variable Found | |
| #1825 | Remove Category URL – Remove 'category' base from category permalinks | 79 | 5 | 8 | 50k+ | Output Not Escaped | |
| #1826 | Fluent PDF Generator | 80 | 102 | 6 | 20k+ | Text Domain Mismatch | |
| #1827 | WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo | 80 | 5 | 14 | 9k+ | wp function not compatible with requires wp | |
| #1828 | Melapress File Monitor | 80 | 16 | 90 | 6k+ | Non Prefixed Variable Found | |
| #1829 | Auto iFrame | 81 | 2 | 11 | 3k+ | Input Not Sanitized | |
| #1830 | Block Visibility — Conditional Visibility Control for the Block Editor | 81 | 7 | 11 | 40k+ | Input Not Sanitized | |
| #1831 | Hostinger Tools | 81 | 14 | 22 | 3m+ | wp function not compatible with requires wp | |
| #1832 | Orphans | 81 | 1 | 43 | 50k+ | Dynamic Hookname Found | |
| #1833 | Catch Gallery | 82 | 1 | 35 | 10k+ | Non Prefixed Hookname Found | |
| #1834 | Lazy Load for Videos | 82 | 6 | 37 | 9k+ | Non Prefixed Constant Found | |
| #1835 | WP Fail2Ban Redux | 82 | 1 | 10 | 7k+ | trademarked term | |
| #1836 | WP Mail From II | 82 | 3 | 7 | 5k+ | trademarked term | |
| #1837 | Max upload filesize | 83 | 3 | 8 | 9k+ | Input Not Validated | |
| #1838 | Change Admin Email | 84 | 4 | 4 | 50k+ | Missing | |
| #1839 | Jotform – AI Chatbot | 84 | 1 | 8 | 5k+ | Input Not Validated | |
| #1840 | JWT Authentication for WP REST API | 84 | 27 | 41 | 60k+ | wp function not compatible with requires wp | |
| #1841 | Safelayout Cute Preloader – CSS3 WordPress Preloader | 84 | 3 | 14 | 10k+ | Input Not Validated | |
| #1842 | WP Force Lowercase URLs | 84 | 2 | 9 | 6k+ | trademarked term | |
| #1843 | Popups – Submission Messages For Contact Form 7 | 85 | 2 | 7 | 3k+ | Input Not Sanitized | |
| #1844 | HSTS Ready | 85 | 3 | 11 | 3k+ | Input Not Validated | |
| #1845 | Remove Footer Credit | 85 | 7 | 31 | 70k+ | Non Prefixed Variable Found | |
| #1846 | Static 404 | 85 | 1 | 7 | 3k+ | Input Not Sanitized | |
| #1847 | Widget CSS Classes | 85 | 47 | 8 | 90k+ | Non Singular String Literal Domain | |
| #1848 | Classic Editor + | 86 | 1 | 4 | 40k+ | Input Not Sanitized | |
| #1849 | Catch Infinite Scroll | 87 | 20 | 10k+ | Non Prefixed Variable Found | ||
| #1850 | Redirect 404 to Homepage | 88 | 4 | 4 | 70k+ | parse url parse url |
