WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #301 | Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content | 23 | 238 | 294 | 20k+ | error log print r | ||
| #302 | BSK PDF Manager | 23 | 1,576 | 625 | 7k+ | Text Domain Mismatch | ||
| #303 | BuddyDrive | 23 | 722 | 1,597 | 1k+ | Non-prefixed global variable | ||
| #304 | Builderall for WordPress | 23 | 4,782 | 1,308 | 1k+ | Text Domain Mismatch | ||
| #305 | Announcement & Notification Banner – Bulletin | 23 | 930 | 1,576 | 2k+ | Non-prefixed global variable | ||
| #306 | Burger Companion | 23 | 3,274 | 472 | 10k+ | Text Domain Mismatch | ||
| #307 | Business Directory Plugin – Easy Listing Directories for WordPress | 23 | 611 | 1,058 | 10k+ | Non-prefixed global variable | ||
| #308 | Captivate Sync | 23 | 174 | 557 | 1k+ | Non-prefixed global variable | ||
| #309 | Cart Notices for WooCommerce | 23 | 650 | 471 | 2k+ | Text Domain Mismatch | ||
| #310 | Products Suggestions for WooCommerce | 23 | 718 | 502 | 700 | Output is not escaped | ||
| #311 | Geo Controller | 23 | 203 | 544 | 1k+ | Non-prefixed global variable | ||
| #312 | WPBot – AI ChatBot for Live Support, Lead Generation, AI Services | 23 | 264 | 1,038 | 5k+ | Non-prefixed global variable | ||
| #313 | Church Admin | 23 | 1,643 | 4,202 | 900 | Direct Query | ||
| #314 | Classified Listing – AI-Powered Classified ads & Business Directory | 23 | 155 | 2,074 | 9k+ | Non-prefixed global variable | ||
| #315 | CLUEVO LMS, E-Learning Platform | 23 | 1,843 | 1,176 | 400 | Text Domain Mismatch | ||
| #316 | Content Aware Sidebars – Fastest Widget Area Plugin | 23 | 993 | 1,738 | 30k+ | Non-prefixed global variable | ||
| #317 | Content Egg – Affiliate Product Importer & Price Comparison | 23 | 1,231 | 1,257 | 10k+ | Non-prefixed global variable | ||
| #318 | Content Views – Post Grid & Filter, Recent Posts, Category Posts … (Shortcode, Gutenberg Blocks, and Widgets for Elementor) | 23 | 306 | 587 | 100k+ | Dynamic hook name | ||
| #319 | Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe | 23 | 9,310 | 26,642 | 1k+ | Non-prefixed global variable | ||
| #320 | Free Theme Builder for Elementor – CRT Addons (Header, Footer, Archive, WooCommerce & 50+ Widgets) | 23 | 791 | 2,331 | 400 | Non-prefixed global variable | ||
| #321 | Currency Exchange for WooCommerce | 23 | 703 | 502 | 500 | Output is not escaped | ||
| #322 | CWW Companion | 23 | 307 | 223 | 1k+ | Output is not escaped | ||
| #323 | Auto Post Cleaner | 23 | 715 | 1,378 | 1k+ | Non-prefixed global variable | ||
| #324 | Disable Bloat for WordPress & WooCommerce | 23 | 863 | 1,325 | 10k+ | Non-prefixed global variable | ||
| #325 | DK PDF – WordPress PDF Generator | 23 | 744 | 335 | 3k+ | Exception output is not escaped | ||
| #326 | Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy | 23 | 170 | 821 | 40k+ | Non-prefixed global variable | ||
| #327 | Double Opt-In for Contact Form 7 & Avada – Secure, GDPR-Compliant Email Verification | 23 | 675 | 643 | 1k+ | Unsafe printing function | ||
| #328 | Easy Age Verify | 23 | 1,138 | 2,631 | 1k+ | Non-prefixed global variable | ||
| #329 | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy | 23 | 3,723 | 10,283 | 40k+ | Non-prefixed namespace | ||
| #330 | Marijuana Age Verify | 23 | 1,154 | 2,630 | 1k+ | Non-prefixed global variable | ||
| #331 | EazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ Builder | 23 | 356 | 1,515 | 2k+ | Non-prefixed global variable | ||
| #332 | Ecwid by Lightspeed Ecommerce Shopping Cart | 23 | 339 | 307 | 20k+ | Missing direct file access protection | ||
| #333 | Error Log Monitor | 23 | 694 | 1,414 | 20k+ | Non-prefixed global variable | ||
| #334 | Essential Real Estate | 23 | 529 | 5,060 | 8k+ | Non-prefixed global variable | ||
| #335 | EventON – Events Calendar | 23 | 2,585 | 1,021 | 6k+ | Text Domain Mismatch | ||
| #336 | Events Addon for Elementor | 23 | 779 | 1,339 | 7k+ | Non-prefixed global variable | ||
| #337 | Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder with AI | 23 | 395 | 1,342 | 90k+ | Non-prefixed global variable | ||
| #338 | Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | 23 | 386 | 999 | 500 | Non-prefixed global variable | ||
| #339 | Ezoic | 23 | 432 | 516 | 10k+ | Output is not escaped | ||
| #340 | Fastcache by Host.it | 23 | 1,327 | 203 | 600 | Text Domain Mismatch | ||
| #341 | Feed Them Social – Social Media Feeds, Video, and Photo Galleries | 23 | 563 | 535 | 20k+ | Output is not escaped | ||
| #342 | Filr – Secure document library | 23 | 775 | 1,317 | 800 | Non-prefixed global variable | ||
| #343 | Finpose – Accounting for WooCommerce | 23 | 1,649 | 1,307 | 400 | Non-prefixed global variable | ||
| #344 | Image Photo Gallery Final Tiles Grid | 23 | 578 | 1,502 | 20k+ | Non-prefixed global variable | ||
| #345 | Flexmls® IDX Plugin | 23 | 1,268 | 957 | 1k+ | Output is not escaped | ||
| #346 | Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder | 23 | 4,746 | 1,279 | 30k+ | Non Singular String Literal Domain | ||
| #347 | Freshdesk (official) | 23 | 194 | 386 | 900 | Non-prefixed function | ||
| #348 | Front End PM | 23 | 978 | 2,264 | 5k+ | Non-prefixed global variable | ||
| #349 | Tracking and Consent Manager – WP Full Picture | 23 | 1,280 | 3,223 | 3k+ | Non-prefixed global variable | ||
| #350 | Fuse Social Floating Sidebar | 23 | 1,840 | 1,573 | 10k+ | Non-prefixed global variable |
