WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3451 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #3452 | Secondary Product Image for WooCommerce | 49 | 25 | 29 | 2k+ | Output is not escaped | ||
| #3453 | Simple MyISAM to InnoDB | 49 | 11 | 22 | 1k+ | Output is not escaped | ||
| #3454 | SKT Themes Demo Import | 49 | 218 | 104 | 4k+ | Text Domain Mismatch | ||
| #3455 | Songkick Concerts and Festivals | 49 | 9 | 48 | 500 | Input is not sanitized | ||
| #3456 | SpinupWP | 49 | 43 | 38 | 30k+ | Non-prefixed function | ||
| #3457 | UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks | 49 | 34 | 38 | 40k+ | Missing direct file access protection | ||
| #3458 | Was This Helpful? | 49 | 19 | 28 | 1k+ | Output is not escaped | ||
| #3459 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #3460 | WooBuilder | 49 | 20 | 17 | 700 | Output is not escaped | ||
| #3461 | Product Slider, Product Grid, Product Masonry | 49 | 55 | 144 | 10k+ | wp function not compatible with requires wp | ||
| #3462 | WP User Groups | 49 | 44 | 32 | 600 | Missing Translators Comment | ||
| #3463 | Aspexi Social Media Sidebox | 50 | 175 | 12 | 700 | Text Domain Mismatch | ||
| #3464 | Auto Ping Booster Free | 50 | 18 | 21 | 900 | Setting is missing a sanitization callback | ||
| #3465 | BuddyPress Groups Extras | 50 | 30 | 51 | 400 | Missing direct file access protection | ||
| #3466 | Category AJAX Filter — Advanced Filter for Posts & Custom Post Types | 50 | 2 | 435 | 6k+ | Non-prefixed global variable | ||
| #3467 | Page Builder Gutenberg Blocks – CoBlocks | 50 | 167 | 36 | 300k+ | block api version too low | ||
| #3468 | Customize Tawk.to Widget | 50 | 21 | 28 | 500 | Request data is not unslashed | ||
| #3469 | Disable Site | 50 | 26 | 3 | 4k+ | Output is not escaped | ||
| #3470 | Event Organiser CSV | 50 | 28 | 27 | 600 | Output is not escaped | ||
| #3471 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #3472 | Headline Analyzer | 50 | 13 | 31 | 1k+ | Nonce verification recommended | ||
| #3473 | HT Slider For Elementor | 50 | 884 | 40 | 20k+ | Text Domain Mismatch | ||
| #3474 | Mailster Gravity Forms | 50 | 46 | 32 | 800 | Text Domain Mismatch | ||
| #3475 | MB Custom Post Types & Custom Taxonomies | 50 | 61 | 55 | 10k+ | Missing Translators Comment | ||
| #3476 | Pago por Redsys | 50 | 44 | 59 | 700 | Text Domain Mismatch | ||
| #3477 | PostmagThemes Demo Import | 50 | 191 | 114 | 1k+ | Text Domain Mismatch | ||
| #3478 | 📷 Simple QR Code Generator Widget | 50 | 21 | 14 | 400 | Output is not escaped | ||
| #3479 | Section Widget | 50 | 24 | 35 | 500 | Nonce verification recommended | ||
| #3480 | Theme Demo Import | 50 | 101 | 95 | 5k+ | Non-prefixed hook name | ||
| #3481 | BestWebSoft's Twitter | 50 | 477 | 174 | 900 | Text Domain Mismatch | ||
| #3482 | Ultimate WooCommerce Brands | 50 | 87 | 12 | 400 | Text Domain Mismatch | ||
| #3483 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #3484 | Cart Popup for WooCommerce | 51 | 9 | 115 | 9k+ | Non-prefixed global variable | ||
| #3485 | Address Geocoder | 51 | 12 | 18 | 500 | Output is not escaped | ||
| #3486 | Aspexi Social Media Slider | 51 | 177 | 15 | 2k+ | Text Domain Mismatch | ||
| #3487 | AVIF Uploader | 51 | 49 | 44 | 4k+ | Missing Arg Domain | ||
| #3488 | Feeds for TikTok – Display Video Feeds in Grid Layouts | 51 | 18 | 59 | 1k+ | Request data is not unslashed | ||
| #3489 | Booqable Rental Plugin | 51 | 81 | 18 | 1k+ | wp function not compatible with requires wp | ||
| #3490 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #3491 | CloudFilt Bot & Spam Protection | 51 | 11 | 22 | 600 | Output is not escaped | ||
| #3492 | Dynamic Pricing and Discount Rules | 51 | 24 | 65 | 1k+ | Non Singular String Literal Text | ||
| #3493 | Dolyame Payment gateway | 51 | 122 | 10 | 700 | Text Domain Mismatch | ||
| #3494 | Gravity Forms No CAPTCHA reCAPTCHA | 51 | 30 | 17 | 10k+ | Text Domain Mismatch | ||
| #3495 | Gutenverse – WordPress Blocks, Page Builder & Site Editor | 51 | 17 | 47 | 20k+ | Non-prefixed hook name | ||
| #3496 | KIA Subtitle | 51 | 21 | 19 | 7k+ | Non-prefixed global variable | ||
| #3497 | POLi Payments for WooCommerce | 51 | 62 | 26 | 500 | Text Domain Mismatch | ||
| #3498 | Quotes and Tips by BestWebSoft | 51 | 485 | 190 | 1k+ | Text Domain Mismatch | ||
| #3499 | Security-Protection | 51 | 5 | 32 | 400 | Missing nonce verification | ||
| #3500 | Simple Cookie Notification Bar | 51 | 49 | 6 | 1k+ | Text Domain Mismatch |