WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3251 | Squelch Tabs and Accordions Shortcodes | 42 | 57 | 51 | 1k+ | Unsafe printing function | ||
| #3252 | Staffer | 42 | 88 | 42 | 600 | Output is not escaped | ||
| #3253 | Sticky Add To Cart Bar For WooCommerce | 42 | 46 | 54 | 600 | Output is not escaped | ||
| #3254 | Sticky Floating Button (Book Now, Contact, Call To Action…) | 42 | 95 | 26 | 900 | Missing Arg Domain | ||
| #3255 | Combine Social Photos | Still BE | 42 | 33 | 281 | 700 | Non-prefixed global variable | ||
| #3256 | ThemeZee Widget Bundle | 42 | 211 | 58 | 5k+ | Output is not escaped | ||
| #3257 | Transients Manager | 42 | 45 | 50 | 20k+ | Output is not escaped | ||
| #3258 | Two Factor | 42 | 18 | 70 | 100k+ | Nonce verification recommended | ||
| #3259 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 9k+ | Non-prefixed global variable | ||
| #3260 | UPI QR Code Payment Gateway | 42 | 179 | 28 | 1k+ | Text Domain Mismatch | ||
| #3261 | Usermaven | 42 | 36 | 77 | 1k+ | Request data is not unslashed | ||
| #3262 | Vast Demo Import | 42 | 180 | 113 | 600 | Text Domain Mismatch | ||
| #3263 | Vertical marquee post title | 42 | 109 | 68 | 400 | Output is not escaped | ||
| #3264 | WC Speed Repair | 42 | 34 | 74 | 1k+ | Non-prefixed global variable | ||
| #3265 | WebPlanex: GST Invoice India | 42 | 63 | 63 | 400 | Text Domain Mismatch | ||
| #3266 | Widget Visibility Time Scheduler | 42 | 70 | 34 | 1k+ | Output is not escaped | ||
| #3267 | Auto Coupons for WooCommerce | 42 | 82 | 68 | 4k+ | Output is not escaped | ||
| #3268 | TT Extra Fee Option for WooCommerce | 42 | 37 | 19 | 1k+ | Output is not escaped | ||
| #3269 | Dynamic Remarketing for Google Ads and WooCommerce | 42 | 32 | 15 | 2k+ | Output is not escaped | ||
| #3270 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #3271 | WP Content Copy Protection & No Right Click | 42 | 126 | 135 | 100k+ | Unsafe printing function | ||
| #3272 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #3273 | WP Media Category Management | 42 | 10 | 176 | 6k+ | Nonce verification recommended | ||
| #3274 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #3275 | WP Responsive Table | 42 | 42 | 10 | 6k+ | Output is not escaped | ||
| #3276 | WP Widget Clipboard – Duplicate widgets intuitively | 42 | 51 | 19 | 800 | Output is not escaped | ||
| #3277 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #3278 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #3279 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #3280 | Admin Custom Login | 43 | 238 | 20k+ | Request data is not unslashed | |||
| #3281 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #3282 | Advanced FAQ Manager | 43 | 8 | 59 | 2k+ | Input is not sanitized | ||
| #3283 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #3284 | AMP | 43 | 63 | 362 | 400k+ | Non-prefixed hook name | ||
| #3285 | Animation Builder – An interface for adding scroll-triggered animations | 43 | 7 | 67 | 800 | Missing Version | ||
| #3286 | Anonymous Restricted Content | 43 | 22 | 24 | 1k+ | Unsafe printing function | ||
| #3287 | Anti-spam Reloaded | 43 | 19 | 19 | 2k+ | Output is not escaped | ||
| #3288 | BMI Adult & Kid Calculator | 43 | 33 | 138 | 700 | Request data is not unslashed | ||
| #3289 | Category Editor | 43 | 54 | 18 | 8k+ | Unsafe printing function | ||
| #3290 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #3291 | Simple Mortgage Calculator | 43 | 67 | 3 | 1k+ | Text Domain Mismatch | ||
| #3292 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #3293 | Disable WP Notification | 43 | 74 | 25 | 10k+ | Output is not escaped | ||
| #3294 | Easy PayPal Shopping Cart | 43 | 19 | 40 | 1k+ | Input is not sanitized | ||
| #3295 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #3296 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #3297 | Per User Prompt for Google Authenticator | 43 | 8 | 52 | 400 | Nonce verification recommended | ||
| #3298 | Event Tracking for Gravity Forms | 43 | 34 | 25 | 20k+ | rand mt rand | ||
| #3299 | Insert Blocks Before or After Posts Content | 43 | 42 | 15 | 1k+ | Output is not escaped | ||
| #3300 | Logo Slider WP – Responsive Logo Carousel, Logo Gallery & Logo Showcase | 43 | 22 | 255 | 10k+ | Non-prefixed global variable |