WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2901 | Fast User Switching | 40 | 28 | 28 | 2k+ | Output is not escaped | ||
| #2902 | Featured Post | 40 | 36 | 18 | 900 | Output is not escaped | ||
| #2903 | Flamingo | 40 | 15 | 228 | 800k+ | Nonce verification recommended | ||
| #2904 | FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments | 40 | 50 | 47 | 700 | Non-prefixed global variable | ||
| #2905 | Flying Scripts: Delay JavaScript to Improve Site Speed & Performance | 40 | 23 | 44 | 30k+ | Missing direct file access protection | ||
| #2906 | Full Background Manager | 40 | 37 | 24 | 7k+ | Output is not escaped | ||
| #2907 | Fusion Page Builder | 40 | 34 | 100 | 3k+ | Input is not validated | ||
| #2908 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #2909 | Gravity Forms Data Persistence Add-On Reloaded | 40 | 14 | 38 | 700 | Input is not sanitized | ||
| #2910 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #2911 | WP Armour – Honeypot Anti Spam | 40 | 55 | 66 | 400k+ | Missing nonce verification | ||
| #2912 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | Direct Query | ||
| #2913 | I Agree! Popups | 40 | 54 | 46 | 600 | Output is not escaped | ||
| #2914 | If Widget – Visibility control for Widgets | 40 | 99 | 25 | 1k+ | Unsafe printing function | ||
| #2915 | iNext Woo Pincode Checker | 40 | 36 | 82 | 700 | Missing nonce verification | ||
| #2916 | Interactive US Map | 40 | 136 | 54 | 400 | Text Domain Mismatch | ||
| #2917 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #2918 | Invite Anyone | 40 | 32 | 130 | 1k+ | Non-prefixed hook name | ||
| #2919 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #2920 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #2921 | JSM Show Term Metadata | 40 | 14 | 64 | 900 | Nonce verification recommended | ||
| #2922 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #2923 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #2924 | Social Like Box and Page by WpDevArt | 40 | 62 | 24 | 5k+ | Output is not escaped | ||
| #2925 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #2926 | LJ Multi Column Archive | 40 | 17 | 25 | 1k+ | Output is not escaped | ||
| #2927 | Loan Comparison | 40 | 27 | 192 | 400 | Request data is not unslashed | ||
| #2928 | Logbook | 40 | 33 | 59 | 2k+ | Nonce verification recommended | ||
| #2929 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #2930 | Mark New Posts | 40 | 61 | 39 | 500 | Non Singular String Literal Domain | ||
| #2931 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #2932 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #2933 | MembershipWorks – Membership, Events & Directory | 40 | 41 | 29 | 2k+ | Output is not escaped | ||
| #2934 | Mobile Contact Line | 40 | 39 | 355 | 1k+ | Non-prefixed global variable | ||
| #2935 | WP Mobile Redirect | 40 | 44 | 20 | 400 | Text Domain Mismatch | ||
| #2936 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non-prefixed global variable | ||
| #2937 | 코드엠샵 소셜톡 | 40 | 47 | 36 | 400 | Output is not escaped | ||
| #2938 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #2939 | My Social Feeds – Social Feeds Embedder Plugin for WP | 40 | 8 | 77 | 400 | Request data is not unslashed | ||
| #2940 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | Missing direct file access protection | ||
| #2941 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #2942 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #2943 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #2944 | OPML Importer | 40 | 35 | 13 | 3k+ | Output is not escaped | ||
| #2945 | Page As Subdomain Lite | 40 | 61 | 25 | 500 | Output is not escaped | ||
| #2946 | Give – Paystack Gateway | 40 | 96 | 10 | 1k+ | Text Domain Mismatch | ||
| #2947 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #2948 | Permalink Editor | 40 | 50 | 28 | 1k+ | Output is not escaped | ||
| #2949 | List Petfinder Pets | 40 | 121 | 46 | 400 | Output is not escaped | ||
| #2950 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 68 | 249 | 3k+ | Missing nonce verification |