WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Ni WooCommerce Sales Report | 35 | 236 | 256 | 500 | Text Domain Mismatch | ||
| #2002 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #2003 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #2004 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #2005 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #2006 | OSM Map Widget for Elementor | 35 | 183 | 14 | 9k+ | Text Domain Mismatch | ||
| #2007 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #2008 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output is not escaped | ||
| #2009 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #2010 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #2011 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #2012 | PiWeb Delivery & Pickup Date Time for WooCommerce | 35 | 377 | 163 | 500 | Text Domain Mismatch | ||
| #2013 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #2014 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #2015 | Accept Cryptocurrencies with Plisio | 35 | 37 | 47 | 1k+ | Text Domain Mismatch | ||
| #2016 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 168 | 29 | 20k+ | Output is not escaped | ||
| #2017 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #2018 | Popup with fancybox | 35 | 196 | 168 | 1k+ | Unsafe printing function | ||
| #2019 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output is not escaped | ||
| #2020 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #2021 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #2022 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non-prefixed global variable | ||
| #2023 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #2024 | Protect the Children! | 35 | 2 | 34 | 1k+ | Missing nonce verification | ||
| #2025 | Publitio | 35 | 47 | 26 | 400 | curl curl setopt | ||
| #2026 | Push Notifications by LaraPush | 35 | 32 | 76 | 4k+ | Non-prefixed global variable | ||
| #2027 | Push7 | 35 | 45 | 17 | 700 | Short PHP open tag found | ||
| #2028 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #2029 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #2030 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #2031 | Reseller Store | 35 | 56 | 34 | 1k+ | Output is not escaped | ||
| #2032 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output is not escaped | ||
| #2033 | Reveal IDs | 35 | 23 | 13 | 40k+ | Output is not escaped | ||
| #2034 | Robots.txt rewrite | 35 | 56 | 19 | 1k+ | Output is not escaped | ||
| #2035 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #2036 | Scroll Styler | 35 | 52 | 21 | 900 | Output is not escaped | ||
| #2037 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #2038 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 84 | 1m+ | Request data is not unslashed | ||
| #2039 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #2040 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | ||
| #2041 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #2042 | Shortcake (Shortcode UI) | 35 | 9 | 39 | 10k+ | Request data is not unslashed | ||
| #2043 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #2044 | Simple Export Import for ACF Data | 35 | 19 | 64 | 1k+ | Request data is not unslashed | ||
| #2045 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #2046 | Simple Analytics | 35 | 24 | 20 | 1k+ | Output is not escaped | ||
| #2047 | SiteOrigin CSS | 35 | 61 | 84 | 100k+ | Not In Footer | ||
| #2048 | WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat | 35 | 28 | 31 | 90k+ | Input is not sanitized | ||
| #2049 | Quiz Maker, Poll Maker & Survey Maker by Opinion Stage | 35 | 42 | 32 | 6k+ | Output is not escaped | ||
| #2050 | Social Sharing Plugin – Social Warfare | 35 | 17 | 143 | 20k+ | Non-prefixed class |