WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2351 | .htaccess Site Access Control | 37 | 54 | 67 | 800 | Input is not sanitized | ||
| #2352 | Image Optimizer by 10web – Image Optimizer and Compression plugin | 37 | 244 | 45 | 3k+ | Text Domain Mismatch | ||
| #2353 | Images Optimize and Upload CF7 | 37 | 130 | 36 | 600 | Non Singular String Literal Domain | ||
| #2354 | Images to WebP | 37 | 39 | 50 | 9k+ | curl curl setopt | ||
| #2355 | Injection Guard | 37 | 86 | 45 | 1k+ | Unsafe printing function | ||
| #2356 | Job Manager & Career – Manage job board listings, and recruitments | 37 | 112 | 205 | 2k+ | Missing nonce verification | ||
| #2357 | JS Help Desk – AI-Powered Support & Ticketing System | 37 | 17 | 406 | 7k+ | Missing nonce verification | ||
| #2358 | JVM Rich Text Icons | 37 | 87 | 34 | 3k+ | Output is not escaped | ||
| #2359 | Language Switcher | 37 | 81 | 105 | 1k+ | Missing Translators Comment | ||
| #2360 | LH Archived Post Status | 37 | 150 | 64 | 3k+ | Text Domain Mismatch | ||
| #2361 | PiWeb Live sales notification for WooCommerce | 37 | 289 | 77 | 30k+ | Text Domain Mismatch | ||
| #2362 | LiveAgent – Omnichannel Help Desk & Live Chat Software | 37 | 125 | 142 | 400 | Non Singular String Literal Domain | ||
| #2363 | LiveJournal Importer | 37 | 86 | 67 | 8k+ | Output is not escaped | ||
| #2364 | Maintenance Page | 37 | 62 | 33 | 3k+ | Output is not escaped | ||
| #2365 | Max Mega Menu | 37 | 249 | 174 | 300k+ | Output is not escaped | ||
| #2366 | Meks Video Importer | 37 | 62 | 239 | 2k+ | Input is not sanitized | ||
| #2367 | CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor | 37 | 47 | 90 | 40k+ | Dynamic hook name | ||
| #2368 | Monobank WP Payment | 37 | 78 | 41 | 1k+ | Text Domain Mismatch | ||
| #2369 | My Post Order | 37 | 100 | 114 | 400 | Output is not escaped | ||
| #2370 | Nearby Now Reviews and Audio Testimonials | 37 | 66 | 67 | 1k+ | wp function not compatible with requires wp | ||
| #2371 | news ticker benaceur | 37 | 1,097 | 31 | 1k+ | Output is not escaped | ||
| #2372 | NextGEN Scroll Gallery | 37 | 33 | 28 | 1k+ | Output is not escaped | ||
| #2373 | Ninja Van (MY) | 37 | 21 | 258 | 1k+ | Non-prefixed global variable | ||
| #2374 | Off-Canvas Sidebars & Menus (Slidebars) | 37 | 457 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #2375 | Sendle Shipping Plugin | 37 | 91 | 64 | 800 | wp function not compatible with requires wp | ||
| #2376 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 3k+ | Text Domain Mismatch | ||
| #2377 | Page scroll to id | 37 | 38 | 120 | 100k+ | Missing nonce verification | ||
| #2378 | PayU CommercePro Plugin | 37 | 218 | 7k+ | error log error log | |||
| #2379 | GoHero Store Customizer for WooCommerce | 37 | 75 | 53 | 600 | Unsafe printing function | ||
| #2380 | Phoenix Media Rename | 37 | 180 | 104 | 50k+ | Output is not escaped | ||
| #2381 | PNG to JPG | 37 | 130 | 173 | 10k+ | Interpolated SQL is not prepared | ||
| #2382 | POEditor | 37 | 78 | 140 | 500 | Output is not escaped | ||
| #2383 | Post Terms Order – per Post based | 37 | 70 | 36 | 2k+ | Output is not escaped | ||
| #2384 | Product page shipping calculator for WooCommerce | 37 | 217 | 117 | 1k+ | Text Domain Mismatch | ||
| #2385 | Publish to Schedule | 37 | 195 | 43 | 3k+ | Text Domain Mismatch | ||
| #2386 | Quantities and Units for WooCommerce | 37 | 133 | 118 | 1k+ | Output is not escaped | ||
| #2387 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #2388 | Quick Restaurant Menu | 37 | 136 | 40 | 1k+ | Text Domain Mismatch | ||
| #2389 | Rich Table of Contents | 37 | 262 | 57 | 20k+ | Output is not escaped | ||
| #2390 | RSS for Yandex Zen | 37 | 240 | 100 | 4k+ | Unsafe printing function | ||
| #2391 | RSS Image Feed | 37 | 147 | 16 | 2k+ | Output is not escaped | ||
| #2392 | Ryviu – Review Importer & Product Reviews | 37 | 72 | 95 | 1k+ | Output is not escaped | ||
| #2393 | Send PDF for Contact Form 7 | 37 | 22 | 308 | 9k+ | Non-prefixed global variable | ||
| #2394 | SendWP | 37 | 47 | 42 | 10k+ | Output is not escaped | ||
| #2395 | Sezzle Woocommerce Payment | 37 | 108 | 105 | 1k+ | Text Domain Mismatch | ||
| #2396 | Snippet Shortcodes | 37 | 359 | 133 | 4k+ | Non Singular String Literal Domain | ||
| #2397 | Shortcoder — Create Shortcodes for Anything | 37 | 25 | 70 | 100k+ | Non-prefixed global variable | ||
| #2398 | Simple Countdown Timer | 37 | 110 | 113 | 1k+ | Missing Arg Domain | ||
| #2399 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #2400 | Lightbox slider – Responsive Lightbox Gallery | 37 | 36 | 173 | 3k+ | Non-prefixed global variable |