WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query | ||
| #2752 | Mascaras CF7 | 39 | 54 | 16 | 1k+ | Text Domain Mismatch | ||
| #2753 | Meks Easy Photo Feed Widget | 39 | 77 | 27 | 10k+ | Output is not escaped | ||
| #2754 | Menubar | 39 | 171 | 46 | 1k+ | Output is not escaped | ||
| #2755 | Mizan Demo Importer | 39 | 31 | 91 | 1k+ | Missing nonce verification | ||
| #2756 | Modal Dialog | 39 | 64 | 64 | 500 | Output is not escaped | ||
| #2757 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #2758 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | ||
| #2759 | NextGEN Download Gallery | 39 | 57 | 21 | 2k+ | Short PHP open tag found | ||
| #2760 | Open Graph Pro | 39 | 52 | 13 | 1k+ | Output is not escaped | ||
| #2761 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output is not escaped | ||
| #2762 | OneSignal Sender | 39 | 112 | 50 | 400 | Output is not escaped | ||
| #2763 | payever – WooCommerce Gateway | 39 | 263 | 131 | 700 | Text Domain Mismatch | ||
| #2764 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #2765 | Permalink Manager for WooCommerce | 39 | 116 | 24 | 8k+ | Short PHP open tag found | ||
| #2766 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #2767 | Posts By Tag | 39 | 151 | 30 | 1k+ | Output is not escaped | ||
| #2768 | PickPlugins Pricing Table | 39 | 3 | 171 | 1k+ | Missing nonce verification | ||
| #2769 | Product Video Gallery for Woocommerce | 39 | 63 | 36 | 10k+ | Setting is missing a sanitization callback | ||
| #2770 | Product Size Chart for Woocommerce | 39 | 20 | 169 | 600 | Non-prefixed global variable | ||
| #2771 | Purge Varnish Cache | 39 | 113 | 151 | 1k+ | Non-prefixed global variable | ||
| #2772 | QR Redirector | 39 | 48 | 54 | 4k+ | Output is not escaped | ||
| #2773 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #2774 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #2775 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #2776 | Simple Webchat | 39 | 142 | 204 | 1k+ | Output is not escaped | ||
| #2777 | Radio Buttons for Taxonomies | 39 | 40 | 24 | 20k+ | Output is not escaped | ||
| #2778 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #2779 | Reorder by Term | 39 | 20 | 84 | 1k+ | Request data is not unslashed | ||
| #2780 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #2781 | Royal Mail Shipping Calculator for WooCommerce | 39 | 61 | 31 | 1k+ | Text Domain Mismatch | ||
| #2782 | Salat Times | 39 | 236 | 21 | 500 | Output is not escaped | ||
| #2783 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output is not escaped | ||
| #2784 | SEO Friendly Images | 39 | 292 | 20 | 20k+ | Output is not escaped | ||
| #2785 | Serial Number for Contact Form 7 | 39 | 105 | 53 | 2k+ | Non Singular String Literal Domain | ||
| #2786 | Shipping by Rules for WooCommerce | 39 | 130 | 48 | 500 | Output is not escaped | ||
| #2787 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | ||
| #2788 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #2789 | Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services | 39 | 67 | 74 | 1k+ | Interpolated Variable Text | ||
| #2790 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Request data is not unslashed | ||
| #2791 | Simple Posts Ticker – Easy, Lightweight & Flexible | 39 | 151 | 28 | 2k+ | Output is not escaped | ||
| #2792 | Simple Staff List | 39 | 90 | 236 | 3k+ | Non-prefixed global variable | ||
| #2793 | SimpleModal Login | 39 | 50 | 12 | 800 | Unsafe printing function | ||
| #2794 | Slash Admin | 39 | 116 | 38 | 500 | Output is not escaped | ||
| #2795 | Slider Text Scroll | 39 | 95 | 52 | 400 | Text Domain Mismatch | ||
| #2796 | Slideshow SE | 39 | 35 | 240 | 2k+ | Non-prefixed global variable | ||
| #2797 | Smaily for WP | 39 | 52 | 36 | 700 | Output is not escaped | ||
| #2798 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #2799 | Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate | 39 | 42 | 226 | 500 | Request data is not unslashed | ||
| #2800 | Stock Ticker | 39 | 92 | 49 | 2k+ | Output is not escaped |
