WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3201 | Simple HTML Sitemap | 42 | 42 | 20 | 1k+ | Text Domain Mismatch | ||
| #3202 | Easy Demo Import for Omega Themes | 42 | 33 | 41 | 400 | Output is not escaped | ||
| #3203 | Easy Video Player | 42 | 20 | 20 | 20k+ | Output is not escaped | ||
| #3204 | Embedly | 42 | 17 | 38 | 2k+ | Output is not escaped | ||
| #3205 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #3206 | Exclude Pages | 42 | 31 | 14 | 20k+ | Non Singular String Literal Domain | ||
| #3207 | File Media Renamer | 42 | 16 | 42 | 2k+ | Input is not sanitized | ||
| #3208 | First payment date for WooCommerce Subscriptions | 42 | 42 | 19 | 400 | Output is not escaped | ||
| #3209 | Flamix: Bitrix24 and Contact Form 7 integrations | 42 | 79 | 4 | 1k+ | Output is not escaped | ||
| #3210 | Flexible Editor Panel for Elementor | 42 | 154 | 42 | 20k+ | Text Domain Mismatch | ||
| #3211 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #3212 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | ||
| #3213 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #3214 | Fusion Page Builder : Extension – Gallery | 42 | 29 | 30 | 600 | Output is not escaped | ||
| #3215 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #3216 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #3217 | HTML Editor Syntax Highlighter | 42 | 30 | 21 | 50k+ | Output is not escaped | ||
| #3218 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #3219 | iOS images fixer | 42 | 22 | 42 | 6k+ | Nonce verification recommended | ||
| #3220 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #3221 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #3222 | LH Page Links To | 42 | 25 | 38 | 400 | Output is not escaped | ||
| #3223 | Image and Video Lightbox, Image PopUp | 42 | 53 | 15 | 1k+ | Output is not escaped | ||
| #3224 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #3225 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #3226 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | ||
| #3227 | Mass Delete Unused Tags | 42 | 21 | 9 | 800 | Output is not escaped | ||
| #3228 | Mobile CSS | 42 | 59 | 7 | 500 | Output is not escaped | ||
| #3229 | My Upload Images | 42 | 74 | 48 | 400 | Unsafe printing function | ||
| #3230 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #3231 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #3232 | OG Tags | 42 | 131 | 34 | 2k+ | Non Singular String Literal Domain | ||
| #3233 | OnPay.io for WooCommerce | 42 | 238 | 37 | 1k+ | Text Domain Mismatch | ||
| #3234 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #3235 | PAYDUNYA WOOCOMMERCE PAR | 42 | 54 | 32 | 600 | Text Domain Mismatch | ||
| #3236 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | ||
| #3237 | Polylang Theme Strings | 42 | 119 | 30 | 6k+ | Output is not escaped | ||
| #3238 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #3239 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #3240 | Posts Like Dislike | 42 | 157 | 39 | 5k+ | Non Singular String Literal Domain | ||
| #3241 | PuSHPress | 42 | 11 | 65 | 20k+ | Missing nonce verification | ||
| #3242 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #3243 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | ||
| #3244 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | ||
| #3245 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #3246 | SEO Backlink Monitor | 42 | 86 | 105 | 700 | Output is not escaped | ||
| #3247 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #3248 | Simple Sticky Footer | 42 | 57 | 16 | 600 | Missing Arg Domain | ||
| #3249 | SMTP Mailer | 42 | 51 | 49 | 70k+ | Unsafe printing function | ||
| #3250 | Speed Contact Bar | 42 | 53 | 20 | 4k+ | Output is not escaped |