WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2601 | Catch Breadcrumb | 86 | 1 | 29 | 2k+ | Non-prefixed global variable | ||
| #2602 | Classic Editor + | 86 | 1 | 4 | 40k+ | Input is not sanitized | ||
| #2603 | Nice page transition | 86 | 4 | 12 | 1k+ | Direct Query | ||
| #2604 | Catch Infinite Scroll | 87 | 20 | 10k+ | Non-prefixed global variable | |||
| #2605 | Export Single Post Page | 87 | 3 | 6 | 2k+ | Nonce verification recommended | ||
| #2606 | Redirect 404 to Homepage | 88 | 4 | 4 | 70k+ | parse url parse url | ||
| #2607 | Captcha by Yandex for Contact Form 7 | 88 | 9 | 12 | 3k+ | Text Domain Mismatch | ||
| #2608 | Catch IDs | 88 | 16 | 20k+ | Non-prefixed global variable | |||
| #2609 | Organic Profile Block | 88 | 3 | 6 | 1k+ | Input is not validated | ||
| #2610 | Animate on Scroll | 89 | 2 | 4 | 4k+ | Input is not validated | ||
| #2611 | Document Embedder Addons for Elementor – Embed Documents in Elementor Websites | 89 | 4 | 6k+ | Input is not validated | |||
| #2612 | WP Featherlight Disabled | 89 | 5 | 11 | 2k+ | trademarked term | ||
| #2613 | Viva.com | Smart Checkout for WooCommerce | 90 | 1 | 30 | 6k+ | Direct Query | ||
| #2614 | WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | 90 | 20 | 20k+ | Non-prefixed function | |||
| #2615 | Ads.txt Manager | 92 | 4 | 4 | 100k+ | Missing direct file access protection | ||
| #2616 | Weaver Show Posts | 93 | 2 | 5k+ | Input is not sanitized | |||
| #2617 | WPC Buy Now Button for WooCommerce | 95 | 18 | 10k+ | Non-prefixed class |
