WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2101 | WPS Hide Login | 41 | 34 | 72 | 2m+ | Nonce verification recommended | ||
| #2102 | Add to Home Screen & Progressive Web App | 42 | 23 | 68 | 1k+ | Request data is not unslashed | ||
| #2103 | Advanced FAQ Manager | 42 | 9 | 59 | 2k+ | Input is not sanitized | ||
| #2104 | 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条 | 42 | 17 | 38 | 2k+ | Input is not sanitized | ||
| #2105 | Bazz CallBack widget | 42 | 51 | 22 | 3k+ | Unsafe printing function | ||
| #2106 | Booking.com Official Search Box | 42 | 36 | 32 | 2k+ | Output is not escaped | ||
| #2107 | Bulk Change Media Author | 42 | 25 | 20 | 2k+ | Unsafe printing function | ||
| #2108 | Cities Shipping Zones for WooCommerce | 42 | 94 | 44 | 4k+ | Text Domain Mismatch | ||
| #2109 | Clover Payments for WooCommerce | 42 | 25 | 15 | 2k+ | Exception output is not escaped | ||
| #2110 | Companion Revision Manager – Revision Control | 42 | 18 | 28 | 4k+ | Unsafe printing function | ||
| #2111 | Contact Form 7 add confirm | 42 | 31 | 51 | 50k+ | Text Domain Mismatch | ||
| #2112 | Custom Taxonomy Order | 42 | 20 | 56 | 50k+ | Output is not escaped | ||
| #2113 | Delete Expired Transients | 42 | 49 | 65 | 5k+ | Direct Query | ||
| #2114 | Disable Comments | 42 | 44 | 19 | 100k+ | Unsafe printing function | ||
| #2115 | Easy Video Player | 42 | 20 | 20 | 20k+ | Output is not escaped | ||
| #2116 | Embedly | 42 | 17 | 38 | 2k+ | Output is not escaped | ||
| #2117 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #2118 | Exclude Pages | 42 | 31 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #2119 | File Media Renamer | 42 | 16 | 42 | 2k+ | Input is not sanitized | ||
| #2120 | Flexible Editor Panel for Elementor | 42 | 154 | 42 | 20k+ | Text Domain Mismatch | ||
| #2121 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #2122 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | ||
| #2123 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #2124 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #2125 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #2126 | HTML Editor Syntax Highlighter | 42 | 30 | 21 | 50k+ | Output is not escaped | ||
| #2127 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #2128 | iOS images fixer | 42 | 22 | 42 | 6k+ | Nonce verification recommended | ||
| #2129 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #2130 | Image and Video Lightbox, Image PopUp | 42 | 53 | 15 | 1k+ | Output is not escaped | ||
| #2131 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #2132 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | ||
| #2133 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #2134 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #2135 | OG Tags | 42 | 131 | 34 | 2k+ | Non Singular String Literal Domain | ||
| #2136 | OnPay.io for WooCommerce | 42 | 238 | 37 | 2k+ | Text Domain Mismatch | ||
| #2137 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #2138 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | ||
| #2139 | Polylang Theme Strings | 42 | 119 | 30 | 6k+ | Output is not escaped | ||
| #2140 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #2141 | Posts Like Dislike | 42 | 157 | 39 | 6k+ | Non Singular String Literal Domain | ||
| #2142 | PuSHPress | 42 | 11 | 65 | 20k+ | Missing nonce verification | ||
| #2143 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #2144 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | ||
| #2145 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | ||
| #2146 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #2147 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #2148 | Simple Side Tab | 42 | 29 | 17 | 10k+ | Unsafe printing function | ||
| #2149 | SMTP Mailer | 42 | 51 | 49 | 70k+ | Unsafe printing function | ||
| #2150 | Speed Contact Bar | 42 | 53 | 20 | 5k+ | Output is not escaped |
