WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3401 | DPO Pay for WooCommerce | 47 | 28 | 41 | 1k+ | Non Singular String Literal Text | ||
| #3402 | Extended CRM for Users Insights | 47 | 11 | 23 | 400 | Missing nonce verification | ||
| #3403 | Flying Pages: Preload Pages for Faster Navigation & Improved User Experience | 47 | 21 | 21 | 20k+ | Missing direct file access protection | ||
| #3404 | Gateway AqayePardakht for Woocommerce | 47 | 72 | 23 | 4k+ | Text Domain Mismatch | ||
| #3405 | Groups 404 Redirect | 47 | 35 | 33 | 1k+ | Non Singular String Literal Domain | ||
| #3406 | The Tribal Plugin | 47 | 43 | 62 | 700 | Non-prefixed function | ||
| #3407 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped | ||
| #3408 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection | ||
| #3409 | Website Article Monetization By MageNet | 47 | 17 | 24 | 10k+ | Output is not escaped | ||
| #3410 | WP Custom Author URL | 47 | 16 | 38 | 5k+ | Non-prefixed global variable | ||
| #3411 | 3CX Free Live Chat, Calls & Messaging | 47 | 24 | 16 | 100k+ | Output is not escaped | ||
| #3412 | WP PHP Console | 47 | 18 | 24 | 500 | Output is not escaped | ||
| #3413 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #3414 | Post Status Notifications | 47 | 98 | 41 | 1k+ | Text Domain Mismatch | ||
| #3415 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #3416 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #3417 | BP Simple Private | 48 | 19 | 12 | 500 | Output is not escaped | ||
| #3418 | Comment Notifier | 48 | 10 | 55 | 400 | Non-prefixed global variable | ||
| #3419 | Convertful – Your Ultimate On-Site Conversion Tool | 48 | 15 | 34 | 3k+ | wp function not compatible with requires wp | ||
| #3420 | Current Menu Item for Custom Post Types | 48 | 18 | 30 | 2k+ | Non-prefixed global variable | ||
| #3421 | Custom Background Extended | 48 | 13 | 23 | 800 | Input is not validated | ||
| #3422 | Custom Header Extended | 48 | 19 | 11 | 1k+ | Unsafe printing function | ||
| #3423 | Fixed And Sticky Header | 48 | 31 | 7 | 1k+ | Output is not escaped | ||
| #3424 | JW Player for WordPress | 48 | 288 | 78 | 1k+ | Text Domain Mismatch | ||
| #3425 | Library Bookshelves | 48 | 12 | 59 | 500 | Nonce verification recommended | ||
| #3426 | Mailster Live | 48 | 22 | 37 | 600 | Missing Translators Comment | ||
| #3427 | MWW Disclaimer Buttons | 48 | 21 | 16 | 400 | Output is not escaped | ||
| #3428 | Raw HTML Snippets | 48 | 14 | 36 | 2k+ | Input is not sanitized | ||
| #3429 | Really Simple CSV Importer | 48 | 40 | 8 | 40k+ | Output is not escaped | ||
| #3430 | External Links | 48 | 42 | 13 | 9k+ | Output is not escaped | ||
| #3431 | Tako Movable Comments | 48 | 18 | 39 | 1k+ | Input is not sanitized | ||
| #3432 | ThemeFarmer Companion | 48 | 54 | 51 | 2k+ | Missing Version | ||
| #3433 | Trust Payments Gateway for WooCommerce | 48 | 35 | 29 | 400 | Missing Translators Comment | ||
| #3434 | Virtuaria PagBank / PagSeguro for WooCommerce | 48 | 12 | 160 | 1k+ | Non-prefixed global variable | ||
| #3435 | Whitelist IP For Limit Login Attempts | 48 | 18 | 12 | 500 | Output is not escaped | ||
| #3436 | Flutterwave Payment Gateway for WooCommerce | 48 | 14 | 22 | 2k+ | Output is not escaped | ||
| #3437 | WP Attachment Export | 48 | 16 | 25 | 600 | Input is not sanitized | ||
| #3438 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed | ||
| #3439 | WP Remote Users Sync | 48 | 355 | 117 | 6k+ | Text Domain Mismatch | ||
| #3440 | Batcache | 49 | 12 | 53 | 700 | Input is not sanitized | ||
| #3441 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | Text Domain Mismatch | ||
| #3442 | Successful Redirection for Contact Form | 49 | 33 | 20 | 10k+ | Text Domain Mismatch | ||
| #3443 | Dashboard quick links widget | 49 | 22 | 16 | 700 | Output is not escaped | ||
| #3444 | Download Media Library | 49 | 22 | 40 | 1k+ | Text Domain Mismatch | ||
| #3445 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #3446 | Easy Google AdSense | 49 | 19 | 12 | 5k+ | Output is not escaped | ||
| #3447 | Easy Media Download | 49 | 20 | 15 | 9k+ | Output is not escaped | ||
| #3448 | Web Icons | 49 | 51 | 10 | 1k+ | Output is not escaped | ||
| #3449 | Plugins Last Updated Column | 49 | 21 | 14 | 700 | Output is not escaped | ||
| #3450 | Post/Page Specific Custom Code | 49 | 21 | 14 | 7k+ | Output is not escaped |