WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2151 | Transients Manager | 42 | 45 | 50 | 20k+ | Output is not escaped | ||
| #2152 | Two Factor | 42 | 18 | 70 | 100k+ | Nonce verification recommended | ||
| #2153 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 10k+ | Non-prefixed global variable | ||
| #2154 | Abandoned Cart Recovery for WooCommerce | 42 | 20 | 183 | 4k+ | Request data is not unslashed | ||
| #2155 | Auto Coupons for WooCommerce | 42 | 81 | 68 | 4k+ | Output is not escaped | ||
| #2156 | Dynamic Remarketing for Google Ads and WooCommerce | 42 | 32 | 15 | 2k+ | Output is not escaped | ||
| #2157 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #2158 | WP Content Copy Protection & No Right Click | 42 | 126 | 135 | 100k+ | Unsafe printing function | ||
| #2159 | WP Media Category Management | 42 | 9 | 180 | 6k+ | Nonce verification recommended | ||
| #2160 | WP QuickLaTeX | 42 | 41 | 60 | 5k+ | Non-prefixed global variable | ||
| #2161 | WP Responsive Table | 42 | 42 | 10 | 6k+ | Output is not escaped | ||
| #2162 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #2163 | Admin Custom Login | 43 | 238 | 20k+ | Request data is not unslashed | |||
| #2164 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #2165 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #2166 | AMP | 43 | 63 | 362 | 400k+ | Non-prefixed hook name | ||
| #2167 | Anti-spam Reloaded | 43 | 19 | 19 | 2k+ | Output is not escaped | ||
| #2168 | Category Editor | 43 | 54 | 18 | 8k+ | Unsafe printing function | ||
| #2169 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #2170 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #2171 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #2172 | Event Tracking for Gravity Forms | 43 | 34 | 25 | 20k+ | rand mt rand | ||
| #2173 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 43 | 12 | 32 | 7k+ | Request data is not unslashed | ||
| #2174 | Make Tables Responsive | 43 | 31 | 102 | 6k+ | Input is not validated | ||
| #2175 | Post title marquee scroll | 43 | 43 | 25 | 1k+ | Output is not escaped | ||
| #2176 | reCAPTCHA for MW WP Form | 43 | 37 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #2177 | Redirect List | 43 | 34 | 22 | 1k+ | Output is not escaped | ||
| #2178 | Simple Revisions Delete | 43 | 16 | 26 | 10k+ | Output is not escaped | ||
| #2179 | Snazzy Maps | 43 | 9 | 62 | 30k+ | Request data is not unslashed | ||
| #2180 | Team Builder Member Showcase | 43 | 14 | 127 | 1k+ | Non-prefixed global variable | ||
| #2181 | Term Management Tools | 43 | 9 | 26 | 10k+ | Non-prefixed hook name | ||
| #2182 | Theme Switcha – Easily Switch Themes for Development and Testing | 43 | 42 | 53 | 7k+ | Output is not escaped | ||
| #2183 | Theme Test Drive | 43 | 39 | 16 | 7k+ | Output is not escaped | ||
| #2184 | Uber reCaptcha | 43 | 129 | 45 | 1k+ | Text Domain Mismatch | ||
| #2185 | UPI QR Code Payment Gateway for WooCommerce | 43 | 42 | 28 | 20k+ | Output is not escaped | ||
| #2186 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #2187 | WP Extra File Types | 43 | 11 | 26 | 40k+ | Request data is not unslashed | ||
| #2188 | Active Campaign & Contact Form 7 | 43 | 40 | 27 | 3k+ | Output is not escaped | ||
| #2189 | Admin login URL Change | 44 | 38 | 11 | 2k+ | Output is not escaped | ||
| #2190 | Advanced Dynamic Pricing and Discount Rules for WooCommerce | 44 | 2 | 813 | 20k+ | Non-prefixed namespace | ||
| #2191 | Code Widget | 44 | 60 | 33 | 4k+ | Text Domain Mismatch | ||
| #2192 | Coming soon and Maintenance mode | 44 | 14 | 43 | 9k+ | Request data is not unslashed | ||
| #2193 | Image Widget | 44 | 48 | 5 | 3k+ | Output is not escaped | ||
| #2194 | Ocean Modal Window | 44 | 26 | 44 | 10k+ | Output is not escaped | ||
| #2195 | Post Grid | 44 | 33 | 208 | 30k+ | Non-prefixed global variable | ||
| #2196 | User Posts Limit | 44 | 82 | 22 | 2k+ | Output is not escaped | ||
| #2197 | ReCaptcha v2 for Contact Form 7 | 44 | 12 | 30 | 200k+ | Nonce verification recommended | ||
| #2198 | Gateway zibal for Woocommerce | 44 | 70 | 24 | 5k+ | Text Domain Mismatch | ||
| #2199 | Ajax Archive Calendar | 45 | 40 | 18 | 1k+ | date date | ||
| #2200 | Breadcrumb – Breadcrumb for WooCommerce and Custom Post Types | 45 | 3 | 107 | 10k+ | Request data is not unslashed |
