WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | ReCaptcha v2 for Contact Form 7 | 44 | 12 | 30 | 200k+ | Nonce verification recommended | ||
| #2202 | Gateway zibal for Woocommerce | 44 | 70 | 24 | 5k+ | Text Domain Mismatch | ||
| #2203 | Ajax Archive Calendar | 45 | 40 | 18 | 1k+ | date date | ||
| #2204 | Breadcrumb – Breadcrumb for WooCommerce and Custom Post Types | 45 | 3 | 107 | 10k+ | Request data is not unslashed | ||
| #2205 | Goftino | 45 | 16 | 20 | 10k+ | Output is not escaped | ||
| #2206 | Hyper Cache | 45 | 36 | 100 | 8k+ | Non-prefixed global variable | ||
| #2207 | Icons Font Loader – Load Web Fonts and Icon Libraries | 45 | 47 | 33 | 2k+ | Text Domain Mismatch | ||
| #2208 | Inazo's flamingo automatically delete old messages | 45 | 33 | 20 | 4k+ | Output is not escaped | ||
| #2209 | LWS Hide Login | 45 | 5 | 58 | 20k+ | Request data is not unslashed | ||
| #2210 | Quick Interest Slider | 45 | 1 | 48 | 1k+ | Missing nonce verification | ||
| #2211 | reCAPTCHA for Asgaros Forum | 45 | 21 | 36 | 4k+ | Input is not validated | ||
| #2212 | Related Posts By PickPlugins | 45 | 4 | 84 | 4k+ | Non-prefixed global variable | ||
| #2213 | Super Blank | 45 | 131 | 56 | 10k+ | Missing direct file access protection | ||
| #2214 | SyntaxHighlighter Evolved | 45 | 33 | 46 | 20k+ | Not In Footer | ||
| #2215 | VietQR | 45 | 32 | 39 | 5k+ | Text Domain Mismatch | ||
| #2216 | Payrexx Payment Gateway for WooCommerce | 45 | 17 | 117 | 2k+ | Non-prefixed class | ||
| #2217 | wpDataTables integration for Forminator Forms | 45 | 62 | 38 | 1k+ | Text Domain Mismatch | ||
| #2218 | ARI Stream Quiz – WordPress Quizzes Builder | 46 | 21 | 239 | 2k+ | Non-prefixed global variable | ||
| #2219 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #2220 | Delete Multiple Themes | 46 | 39 | 5 | 1k+ | Text Domain Mismatch | ||
| #2221 | DX Delete Attached Media | 46 | 32 | 8 | 4k+ | Output is not escaped | ||
| #2222 | Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress | 46 | 16 | 247 | 10k+ | Non-prefixed global variable | ||
| #2223 | Prevent Browser Caching | 46 | 19 | 10 | 10k+ | Unsafe printing function | ||
| #2224 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #2225 | WEN Logo Slider | 46 | 6 | 46 | 1k+ | Non-prefixed global variable | ||
| #2226 | Custom Price Labels for WooCommerce | 46 | 17 | 22 | 1k+ | Output is not escaped | ||
| #2227 | 3CX Free Live Chat, Calls & Messaging | 46 | 24 | 16 | 100k+ | Output is not escaped | ||
| #2228 | Widget Disable | 46 | 19 | 19 | 10k+ | Output is not escaped | ||
| #2229 | Zoho Mail for WordPress | 46 | 29 | 48 | 20k+ | Request data is not unslashed | ||
| #2230 | Verified Member for BuddyPress | 47 | 20 | 38 | 3k+ | Nonce verification recommended | ||
| #2231 | Cashfree for WooCommerce | 47 | 21 | 21 | 8k+ | Nonce verification recommended | ||
| #2232 | Customizer Export/Import | 47 | 14 | 15 | 100k+ | Unsafe printing function | ||
| #2233 | Flying Pages: Preload Pages for Faster Navigation & Improved User Experience | 47 | 21 | 21 | 20k+ | Missing direct file access protection | ||
| #2234 | Gateway AqayePardakht for Woocommerce | 47 | 72 | 23 | 4k+ | Text Domain Mismatch | ||
| #2235 | Store Locator for WordPress📍 | 47 | 51 | 21 | 1k+ | Missing Arg Domain | ||
| #2236 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped | ||
| #2237 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection | ||
| #2238 | Website Article Monetization By MageNet | 47 | 17 | 24 | 10k+ | Output is not escaped | ||
| #2239 | WP Custom Author URL | 47 | 16 | 38 | 5k+ | Non-prefixed global variable | ||
| #2240 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 20k+ | Non-prefixed global variable | ||
| #2241 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #2242 | Convertful – Your Ultimate On-Site Conversion Tool | 48 | 15 | 34 | 3k+ | wp function not compatible with requires wp | ||
| #2243 | Current Menu Item for Custom Post Types | 48 | 18 | 30 | 2k+ | Non-prefixed global variable | ||
| #2244 | Fixed And Sticky Header | 48 | 31 | 7 | 1k+ | Output is not escaped | ||
| #2245 | JW Player for WordPress | 48 | 289 | 80 | 1k+ | Text Domain Mismatch | ||
| #2246 | Raw HTML Snippets | 48 | 14 | 36 | 2k+ | Input is not sanitized | ||
| #2247 | External Links | 48 | 42 | 13 | 9k+ | Output is not escaped | ||
| #2248 | ThemeFarmer Companion | 48 | 54 | 51 | 2k+ | Missing Version | ||
| #2249 | Flutterwave Payment Gateway for WooCommerce | 48 | 14 | 22 | 2k+ | Output is not escaped | ||
| #2250 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed |
