WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2551 | Reorder Terms | 54 | 17 | 38 | 1k+ | Nonce verification recommended | ||
| #2552 | Resize images before upload | 54 | 19 | 5 | 1k+ | Output is not escaped | ||
| #2553 | Simple XML Sitemap Generator | 54 | 8 | 28 | 3k+ | Non-prefixed function | ||
| #2554 | Sp*tify Play Button for WordPress | 54 | 21 | 15 | 3k+ | Text Domain Mismatch | ||
| #2555 | WP Menu Icons | 54 | 68 | 52 | 20k+ | Text Domain Mismatch | ||
| #2556 | WP Post Navigation | 54 | 14 | 23 | 1k+ | Output is not escaped | ||
| #2557 | Accordions | 55 | 1 | 101 | 20k+ | slow db query meta query | ||
| #2558 | Admin Bar User Switching | 55 | 16 | 31 | 2k+ | Input is not validated | ||
| #2559 | Atarim – Visual Feedback, Review & AI Collaboration | 55 | 16 | 21 | 1k+ | Nonce verification recommended | ||
| #2560 | Auto Image Alt Attribute | 55 | 26 | 7 | 6k+ | Unsafe printing function | ||
| #2561 | Disable Feeds | 55 | 9 | 9 | 20k+ | Output is not escaped | ||
| #2562 | Feedbucket – Website Feedback Tool | 55 | 10 | 25 | 1k+ | Input is not validated | ||
| #2563 | Head, Footer and Post Injections | 55 | 9 | 52 | 300k+ | Non-prefixed global variable | ||
| #2564 | Hide Admin Menu | 55 | 18 | 27 | 20k+ | Non-prefixed function | ||
| #2565 | Holded integration | 55 | 72 | 23 | 2k+ | Non Singular String Literal Domain | ||
| #2566 | Landingi Landing Pages | 55 | 18 | 23 | 2k+ | Input is not sanitized | ||
| #2567 | Marvy – Background Animations for Elementor | 55 | 63 | 34 | 4k+ | Text Domain Mismatch | ||
| #2568 | Mortgage Calculator | 55 | 98 | 16 | 4k+ | Text Domain Mismatch | ||
| #2569 | Page Animations And Transitions | 55 | 89 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #2570 | Virtual Robots.txt | 55 | 10 | 21 | 40k+ | Input is not validated | ||
| #2571 | Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More | 55 | 44 | 64 | 7k+ | Text Domain Mismatch | ||
| #2572 | Semrush Content Toolkit | 55 | 22 | 24 | 2k+ | Non-prefixed global variable | ||
| #2573 | VS Contact Form | 55 | 3 | 318 | 7k+ | Non-prefixed global variable | ||
| #2574 | VK Block Patterns | 55 | 8 | 61 | 100k+ | Non-prefixed function | ||
| #2575 | Anti-Captcha (anti-spam botblocker) | 56 | 23 | 26 | 1k+ | rand mt rand | ||
| #2576 | SMTP by BestWebSoft | 56 | 486 | 175 | 1k+ | Text Domain Mismatch | ||
| #2577 | FV Top Level Categories | 56 | 24 | 16 | 20k+ | Text Domain Mismatch | ||
| #2578 | Jquery Validation For Contact Form 7 | 56 | 18 | 19 | 9k+ | Missing direct file access protection | ||
| #2579 | Kwayy HTML Sitemap | 56 | 13 | 19 | 6k+ | Missing nonce verification | ||
| #2580 | Pluginception | 56 | 7 | 29 | 3k+ | Request data is not unslashed | ||
| #2581 | Image Optimization For SEO | 56 | 116 | 69 | 3k+ | Non Singular String Literal Domain | ||
| #2582 | TextBuilder | 56 | 20 | 34 | 4k+ | Missing Arg Domain | ||
| #2583 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #2584 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #2585 | WP Table Builder – Drag & Drop Table Builder | 56 | 68 | 39 | 50k+ | Not Allowed | ||
| #2586 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #2587 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #2588 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #2589 | Disable Cart Fragments by Optimocha | 57 | 8 | 13 | 10k+ | Nonce verification recommended | ||
| #2590 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #2591 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #2592 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #2593 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #2594 | My WordPress Login Logo | 57 | 28 | 36 | 10k+ | Non-prefixed global variable | ||
| #2595 | Plethora Plugins Tabs + Accordions | 57 | 44 | 10 | 2k+ | Output is not escaped | ||
| #2596 | Protected Posts Logout Button | 57 | 10 | 20 | 1k+ | Input is not sanitized | ||
| #2597 | Real-Time Find and Replace | 57 | 23 | 10 | 70k+ | Output is not escaped | ||
| #2598 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #2599 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #2600 | Site Health Tool Manager | 57 | 13 | 5 | 2k+ | Unsafe printing function |
