WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #2401 | WP Blog Post Layouts | 60 | 36 | 249 | 10k+ | Non-prefixed global variable | |
| #2402 | WP-SWFObject | 60 | 14 | 24 | 1k+ | Deprecated parameter: add_option parameter 3 | |
| #2403 | Ads.txt Manager | 61 | 33 | 16 | 4k+ | Text Domain Mismatch | |
| #2404 | Compact WP Audio Player | 61 | 12 | 21 | 20k+ | Non-prefixed function | |
| #2405 | GetPaid Stripe Payments | 61 | 206 | 44 | 2k+ | Text Domain Mismatch | |
| #2406 | Marker.io – Visual Website Feedback | 61 | 6 | 31 | 4k+ | Request data is not unslashed | |
| #2407 | Media Library Helper — Bulk edit image ALT, caption & description | 61 | 16 | 70 | 10k+ | Non-prefixed global variable | |
| #2408 | Reorder Posts – Quick Post Type and Page Ordering | 61 | 10 | 23 | 10k+ | Request data is not unslashed | |
| #2409 | Qikink Print On Demand and DropShipping | 61 | 14 | 23 | 1k+ | Input is not validated | |
| #2410 | Remove Featured Image | 61 | 21 | 12 | 1k+ | Missing Arg Domain | |
| #2411 | SHK Hide Title | 61 | 19 | 4 | 3k+ | Output is not escaped | |
| #2412 | Slider Factory | 61 | 3 | 414 | 2k+ | Non-prefixed global variable | |
| #2413 | Team Showcase | 61 | 1 | 125 | 1k+ | slow db query meta key | |
| #2414 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Request data is not unslashed | |
| #2415 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | |
| #2416 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non-prefixed global variable | |
| #2417 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | |
| #2418 | ARI Fancy Lightbox – Popup for WordPress | 62 | 8 | 107 | 10k+ | Non-prefixed namespace | |
| #2419 | Bulk edit publish date | 62 | 11 | 16 | 2k+ | Nonce verification recommended | |
| #2420 | Bulk Page Creator | 62 | 9 | 17 | 10k+ | Request data is not unslashed | |
| #2421 | Cloudways WordPress Migrator | 62 | 15 | 25 | 20k+ | Output is not escaped | |
| #2422 | Carousel Slider | 62 | 71 | 30k+ | Non-prefixed global variable | ||
| #2423 | DreamHost Automated Migration | 62 | 15 | 23 | 20k+ | Output is not escaped | |
| #2424 | MainWP Key Maker | 62 | 3 | 35 | 4k+ | Input is not sanitized | |
| #2425 | Migrate To Liquid Web & Nexcess | 62 | 15 | 23 | 2k+ | Output is not escaped | |
| #2426 | Pressable Automated Migration | 62 | 15 | 23 | 3k+ | Output is not escaped | |
| #2427 | Responsive Slider Gallery – Responsive Image Photo Slider | 62 | 32 | 122 | 2k+ | Non-prefixed global variable | |
| #2428 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | |
| #2429 | Single Post Template | 62 | 14 | 8 | 4k+ | Text Domain Mismatch | |
| #2430 | Sitewide Notice WP | 62 | 6 | 13 | 3k+ | Output is not escaped | |
| #2431 | Satispay for WooCommerce | 62 | 19 | 12 | 7k+ | Exception output is not escaped | |
| #2432 | WooCommerce Product Fees | 62 | 6 | 25 | 2k+ | Missing nonce verification | |
| #2433 | WP Downloader | 62 | 11 | 15 | 2k+ | Output is not escaped | |
| #2434 | Wp Theme plugin Download | 62 | 11 | 16 | 2k+ | Output is not escaped | |
| #2435 | Migrate to WordPress.com | 62 | 15 | 28 | 2k+ | Output is not escaped | |
| #2436 | Automatic Featured Images from Videos | 63 | 14 | 13 | 7k+ | Missing direct file access protection | |
| #2437 | DW Block User Account | 63 | 6 | 11 | 1k+ | Unsafe printing function | |
| #2438 | Categories Images | 63 | 10 | 21 | 50k+ | wp function not compatible with requires wp | |
| #2439 | Hide Admin Bar From Front End | 63 | 8 | 17 | 1k+ | Input is not validated | |
| #2440 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | |
| #2441 | Redirect 404 to Home Page – Custom URL | 63 | 9 | 11 | 4k+ | Output is not escaped | |
| #2442 | Simple Membership After Login Redirection | 63 | 4 | 24 | 10k+ | Missing nonce verification | |
| #2443 | UniqueID for Contact Form 7 | 64 | 21 | 18 | 2k+ | Text Domain Mismatch | |
| #2444 | Download Theme | 64 | 18 | 20 | 4k+ | wp function not compatible with requires wp | |
| #2445 | Estonian Shipping Methods for WooCommerce | 64 | 97 | 16 | 1k+ | Text Domain Mismatch | |
| #2446 | Favicon XT-Manager | 64 | 9 | 12 | 2k+ | Output is not escaped | |
| #2447 | Layouts for Divi | 64 | 3 | 27 | 1k+ | Non-prefixed global variable | |
| #2448 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | |
| #2449 | WP REST Cache | 64 | 11 | 113 | 10k+ | Direct Query | |
| #2450 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized |
