WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #251 | Feed Them Social – Social Media Feeds, Video, and Photo Galleries | 23 | 563 | 535 | 20k+ | Output is not escaped | ||
| #252 | Image Photo Gallery Final Tiles Grid | 23 | 578 | 1,502 | 20k+ | Non-prefixed global variable | ||
| #253 | Flexmls® IDX Plugin | 23 | 1,268 | 957 | 1k+ | Output is not escaped | ||
| #254 | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | 23 | 4,746 | 1,279 | 30k+ | Non Singular String Literal Domain | ||
| #255 | Front End PM | 23 | 978 | 2,264 | 5k+ | Non-prefixed global variable | ||
| #256 | Tracking and Consent Manager – WP Full Picture | 23 | 1,280 | 3,223 | 3k+ | Non-prefixed global variable | ||
| #257 | Fuse Social Floating Sidebar | 23 | 1,840 | 1,573 | 10k+ | Non-prefixed global variable | ||
| #258 | Futurio Extra | 23 | 787 | 205 | 20k+ | Text Domain Mismatch | ||
| #259 | FV Flowplayer Video Player | 23 | 1,311 | 1,454 | 20k+ | Output is not escaped | ||
| #260 | GAinWP Google Analytics Integration for WordPress | 23 | 525 | 176 | 8k+ | Output is not escaped | ||
| #261 | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | 23 | 3,662 | 2,971 | 10k+ | Output is not escaped | ||
| #262 | The GDPR Framework By Data443 | 23 | 1,287 | 517 | 10k+ | Short PHP open tag found | ||
| #263 | Gmedia Photo Gallery | 23 | 350 | 1,121 | 7k+ | Non-prefixed global variable | ||
| #264 | Interactive Content – H5P | 23 | 565 | 380 | 40k+ | Non Singular String Literal Domain | ||
| #265 | Happy Addons for Elementor | 23 | 573 | 444 | 400k+ | Output is not escaped | ||
| #266 | Hunk Companion | 23 | 2,544 | 687 | 6k+ | Text Domain Mismatch | ||
| #267 | Payment forms, Buy now buttons, and Invoicing System | GetPaid | 23 | 370 | 1,258 | 5k+ | Non-prefixed global variable | ||
| #268 | IP Geo Block | 23 | 399 | 589 | 9k+ | Output is not escaped | ||
| #269 | Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress | 23 | 91 | 693 | 300k+ | Non-prefixed namespace | ||
| #270 | Justified Gallery | 23 | 589 | 1,417 | 9k+ | Non-prefixed global variable | ||
| #271 | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor | 23 | 55 | 2,127 | 600k+ | Non-prefixed global variable | ||
| #272 | Kenta Companion | 23 | 657 | 1,419 | 2k+ | Non-prefixed global variable | ||
| #273 | King Addons for Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, WooCommerce, Mega Menu, Popup Builder | 23 | 1,837 | 3,878 | 10k+ | Non-prefixed global variable | ||
| #274 | Masteriyo LMS – LMS Course Builder, Quizzes & Certificates | 23 | 192 | 2,123 | 5k+ | Non-prefixed global variable | ||
| #275 | License Manager for WooCommerce | 23 | 129 | 819 | 6k+ | Request data is not unslashed | ||
| #276 | Like Button Rating ♥ LikeBtn | 23 | 1,231 | 617 | 4k+ | Unsafe printing function | ||
| #277 | Link Whisper Free | 23 | 3,882 | 5,303 | 30k+ | Text Domain Mismatch | ||
| #278 | Custom Login Page Customizer | 23 | 687 | 1,408 | 90k+ | Non-prefixed global variable | ||
| #279 | Login With Ajax – Fast Logins, 2FA, Redirects | 23 | 623 | 520 | 10k+ | Output is not escaped | ||
| #280 | Master Slider – Responsive Touch Slider | 23 | 800 | 408 | 60k+ | Output is not escaped | ||
| #281 | MasterStudy LMS WordPress Plugin – for Online Courses and Education | 23 | 1,419 | 4,875 | 10k+ | Non-prefixed global variable | ||
| #282 | MaxButtons – Create buttons | 23 | 655 | 409 | 70k+ | Output is not escaped | ||
| #283 | Media Library Assistant | 23 | 1,144 | 3,943 | 70k+ | Nonce verification recommended | ||
| #284 | MediaPress | 23 | 904 | 583 | 4k+ | Output is not escaped | ||
| #285 | Menu Image, Icons made easy | 23 | 591 | 1,406 | 100k+ | Non-prefixed global variable | ||
| #286 | MotoPress Appointment Booking | 23 | 2,362 | 857 | 2k+ | Text Domain Mismatch | ||
| #287 | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar | 23 | 4,065 | 488 | 20k+ | Text Domain Mismatch | ||
| #288 | MStore API – Create Native Android & iOS Apps On The Cloud | 23 | 618 | 764 | 3k+ | SQL query is not prepared | ||
| #289 | MultiParcels Shipping For WooCommerce | 23 | 177 | 383 | 4k+ | Request data is not unslashed | ||
| #290 | MPG – Multiple Page Generator, Bulk Landing Pages & Programmatic SEO | 23 | 488 | 580 | 2k+ | Missing nonce verification | ||
| #291 | MyWorks Sync for WooCommerce & QuickBooks Online | 23 | 2,292 | 9,101 | 5k+ | Non-prefixed global variable | ||
| #292 | ND Shortcodes | 23 | 621 | 2,426 | 20k+ | Non-prefixed global variable | ||
| #293 | News Kit Addons For Elementor | 23 | 65 | 419 | 4k+ | Post Not In exclude | ||
| #294 | Next Active Directory Integration | 23 | 683 | 284 | 2k+ | Exception output is not escaped | ||
| #295 | Ninja Forms – The Contact Form Builder That Grows With You | 23 | 754 | 1,525 | 600k+ | Nonce verification recommended | ||
| #296 | NitroPack – Performance, Page Speed & Cache Plugin for Core Web Vitals, CDN & Image Optimization | 23 | 315 | 631 | 100k+ | Output is not escaped | ||
| #297 | Ocean Extra | 23 | 1,494 | 2,106 | 500k+ | Non-prefixed global variable | ||
| #298 | Issues and Series for Newspapers, Magazines, Publishers, Writers | 23 | 346 | 710 | 2k+ | Nonce verification recommended | ||
| #299 | Patchstack – WordPress & Plugins Security | 23 | 107 | 489 | 40k+ | Missing nonce verification | ||
| #300 | Photo Gallery by 10Web – Mobile-Friendly Image Gallery | 23 | 4,159 | 1,553 | 100k+ | Output is not escaped |
