WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2951 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 68 | 249 | 3k+ | Missing nonce verification | ||
| #2952 | Plugin Load Filter | 40 | 76 | 112 | 7k+ | Text Domain Mismatch | ||
| #2953 | Popup addon for Ninja Forms | 40 | 121 | 25 | 1k+ | Output is not escaped | ||
| #2954 | Post Ratings | 40 | 160 | 32 | 600 | Output is not escaped | ||
| #2955 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #2956 | Privilege Widget | 40 | 139 | 52 | 600 | Text Domain Mismatch | ||
| #2957 | Product Video Gallery for Woocommerce | 40 | 61 | 36 | 10k+ | Setting is missing a sanitization callback | ||
| #2958 | Quick Child Theme Generator | 40 | 22 | 74 | 900 | Request data is not unslashed | ||
| #2959 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 4k+ | Output is not escaped | ||
| #2960 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #2961 | Random Post Plugin – Redirect URL to Post | 40 | 28 | 74 | 4k+ | Nonce verification recommended | ||
| #2962 | Redirector | 40 | 48 | 32 | 7k+ | Output is not escaped | ||
| #2963 | Rename default post Labels | 40 | 54 | 36 | 600 | Text Domain Mismatch | ||
| #2964 | Responsive Plus – Elementor Templates & Starter Sites | 40 | 46 | 305 | 10k+ | Non-prefixed global variable | ||
| #2965 | Responsive Gallery Grid | 40 | 90 | 14 | 4k+ | Output is not escaped | ||
| #2966 | Risk Free Cash On Delivery (COD) – WooCommerce | 40 | 106 | 31 | 400 | Text Domain Mismatch | ||
| #2967 | Role Based Redirect | 40 | 20 | 96 | 2k+ | Non-prefixed global variable | ||
| #2968 | RPB Chessboard | 40 | 86 | 98 | 1k+ | Missing direct file access protection | ||
| #2969 | Salat Times | 40 | 235 | 20 | 500 | Output is not escaped | ||
| #2970 | Search Live | 40 | 132 | 71 | 600 | Output is not escaped | ||
| #2971 | Secondary Title | 40 | 117 | 31 | 7k+ | Unsafe printing function | ||
| #2972 | Sendy Widget | 40 | 46 | 17 | 700 | Output is not escaped | ||
| #2973 | Show Pages URL List | 40 | 29 | 234 | 1k+ | Non-prefixed global variable | ||
| #2974 | Simple Statistics for Feeds | 40 | 64 | 131 | 800 | Nonce verification recommended | ||
| #2975 | Simple Page Sidebars | 40 | 55 | 65 | 20k+ | Output is not escaped | ||
| #2976 | Specific Content For Mobile – Customize the mobile version without redirections | 40 | 26 | 155 | 4k+ | Nonce verification recommended | ||
| #2977 | ST Demo Importer | 40 | 27 | 75 | 700 | Missing nonce verification | ||
| #2978 | Developer Tools Blocker | 40 | 35 | 47 | 400 | strip tags strip tags | ||
| #2979 | Tagging | 40 | 33 | 37 | 500 | Output is not escaped | ||
| #2980 | Tealium | 40 | 73 | 19 | 600 | Unsafe printing function | ||
| #2981 | Theme and plugin translation for Polylang (TTfP) | 40 | 102 | 62 | 10k+ | Text Domain Mismatch | ||
| #2982 | Multiple Shipping Addresses for WooCommerce (Address Book) | 40 | 21 | 208 | 2k+ | Non-prefixed global variable | ||
| #2983 | ThemeZee Toolkit | 40 | 44 | 116 | 6k+ | Nonce verification recommended | ||
| #2984 | Thin Out Revisions | 40 | 93 | 35 | 800 | Non Singular String Literal Domain | ||
| #2985 | Timeline History | 40 | 31 | 17 | 500 | Output is not escaped | ||
| #2986 | Track Geolocation Of Users Using Contact Form 7 | 40 | 17 | 173 | 900 | Nonce verification recommended | ||
| #2987 | turboSMTP | 40 | 114 | 112 | 400 | Unsafe printing function | ||
| #2988 | Ultimate Dashboard – Custom WordPress Dashboard | 40 | 17 | 144 | 60k+ | Input is not sanitized | ||
| #2989 | Ultimate Noindex Nofollow Tool II | 40 | 38 | 51 | 3k+ | Input is not validated | ||
| #2990 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #2991 | UsersWP – ReCaptcha | 40 | 80 | 17 | 3k+ | Text Domain Mismatch | ||
| #2992 | UTM Leads Tracker – XLPlugins | 40 | 21 | 38 | 400 | Output is not escaped | ||
| #2993 | Visibility Control for LearnDash | 40 | 55 | 23 | 1k+ | Missing Arg Domain | ||
| #2994 | Visibility Control for LearnPress | 40 | 52 | 19 | 700 | Missing Arg Domain | ||
| #2995 | Visma Pay for Woocommerce | 40 | 27 | 37 | 2k+ | Output is not escaped | ||
| #2996 | Visual Builder for Contact Form 7 | 40 | 20 | 43 | 500 | Output is not escaped | ||
| #2997 | Visual Editor Custom Buttons | 40 | 30 | 48 | 4k+ | Output is not escaped | ||
| #2998 | WP Sticky Button – Click to Chat | 40 | 73 | 64 | 10k+ | Non-prefixed global variable | ||
| #2999 | Where Did You Hear About Us Checkout Field for WooCommerce | 40 | 57 | 66 | 1k+ | Output is not escaped | ||
| #3000 | Webo-facto | 40 | 41 | 99 | 800 | Nonce verification recommended |