WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1951 | Import Users & Customers with Meta | WP Ultimate CSV Importer Add-on | 35 | 27 | 140 | 5k+ | Interpolated SQL is not prepared | ||
| #1952 | InPost PL | 35 | 2 | 925 | 10k+ | Non-prefixed global variable | ||
| #1953 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #1954 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #1955 | Instapage Plugin | 35 | 220 | 45 | 5k+ | Output is not escaped | ||
| #1956 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #1957 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #1958 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #1959 | Issuu PDF Sync | 35 | 159 | 28 | 900 | Text Domain Mismatch | ||
| #1960 | Jarvis | 35 | 10 | 19 | 500 | Input is not validated | ||
| #1961 | JetStyleManager for Gutenberg | 35 | 20 | 64 | 20k+ | Nonce verification recommended | ||
| #1962 | JSON Feed (jsonfeed.org) | 35 | 9 | 29 | 1k+ | Non-prefixed global variable | ||
| #1963 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #1964 | JWT Auth – WordPress JSON Web Token Authentication | 35 | 14 | 18 | 6k+ | Output is not escaped | ||
| #1965 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #1966 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output is not escaped | ||
| #1967 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #1968 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #1969 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #1970 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #1971 | Listamester | 35 | 17 | 16 | 600 | Output is not escaped | ||
| #1972 | Login-Logout | 35 | 104 | 8 | 3k+ | Output is not escaped | ||
| #1973 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #1974 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 266 | 127 | 5k+ | Output is not escaped | ||
| #1975 | MainWP Child Reports | 35 | 49 | 116 | 100k+ | Non-prefixed hook name | ||
| #1976 | Map Block for Google Maps | 35 | 6 | 5 | 20k+ | Hidden files included | ||
| #1977 | Mark Posts | 35 | 30 | 34 | 1k+ | Output is not escaped | ||
| #1978 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #1979 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #1980 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output is not escaped | ||
| #1981 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe printing function | ||
| #1982 | Mini Ajax Cart for WooCommerce | 35 | 297 | 240 | 900 | Text Domain Mismatch | ||
| #1983 | Mini Cart for WooCommerce – Add a Stylish Sliding Cart | 35 | 42 | 160 | 600 | Non-prefixed global variable | ||
| #1984 | MONEI Payments for WooCommerce | 35 | 15 | 65 | 500 | Non-prefixed hook name | ||
| #1985 | mosparo Integration | 35 | 114 | 301 | 900 | Missing nonce verification | ||
| #1986 | AI Product Search for WooCommerce – Motive Commerce Search | 35 | 70 | 82 | 400 | Missing direct file access protection | ||
| #1987 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #1988 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #1989 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #1990 | Ni WooCommerce Sales Report | 35 | 236 | 256 | 500 | Text Domain Mismatch | ||
| #1991 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #1992 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #1993 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #1994 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #1995 | OSM Map Widget for Elementor | 35 | 183 | 14 | 9k+ | Text Domain Mismatch | ||
| #1996 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #1997 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output is not escaped | ||
| #1998 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #1999 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #2000 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared |