WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3501 | Popular Brand Icons – Simple Icons | 51 | 20 | 12 | 3k+ | Output is not escaped | ||
| #3502 | Star Rating Field For Contact Form 7 | 51 | 36 | 7 | 800 | Output is not escaped | ||
| #3503 | StoryChief | 51 | 12 | 55 | 1k+ | Input is not sanitized | ||
| #3504 | The Cache Purger | 51 | 16 | 16 | 1k+ | Non Singular String Literal Text | ||
| #3505 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #3506 | VK Filter Search | 51 | 35 | 71 | 6k+ | Nonce verification recommended | ||
| #3507 | Payment Gateway Payoneer For WooCommerce | 51 | 9 | 35 | 900 | Input is not validated | ||
| #3508 | Swift SMTP (formerly Welcome Email Editor) | 51 | 12 | 62 | 7k+ | Missing nonce verification | ||
| #3509 | WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System | 51 | 22 | 38 | 5k+ | Output is not escaped | ||
| #3510 | YayMail – WooCommerce Email Customizer | 51 | 163 | 788 | 50k+ | Non-prefixed global variable | ||
| #3511 | Check Pincode For WooCommerce | 52 | 55 | 400 | Direct Query | |||
| #3512 | Debug This | 52 | 43 | 32 | 2k+ | Missing Translators Comment | ||
| #3513 | Full Screen Background | 52 | 24 | 26 | 2k+ | Missing direct file access protection | ||
| #3514 | Hangul font nanumgothic – google | 52 | 35 | 16 | 1k+ | Output is not escaped | ||
| #3515 | LeadBooster Chatbot by Pipedrive | 52 | 38 | 6 | 2k+ | Output is not escaped | ||
| #3516 | Metronet Tag Manager | 52 | 17 | 36 | 20k+ | Input is not validated | ||
| #3517 | Product Time Countdown for WooCommerce | 52 | 7 | 36 | 400 | Input is not sanitized | ||
| #3518 | SEOWriting | 52 | 10 | 24 | 30k+ | Output is not escaped | ||
| #3519 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #3520 | Custom Post Template By Templatic | 52 | 19 | 14 | 700 | Text Domain Mismatch | ||
| #3521 | TNC Toolbox: Web Performance | 52 | 20 | 25 | 1k+ | Output is not escaped | ||
| #3522 | Travel Map | 52 | 36 | 11 | 1k+ | Output is not escaped | ||
| #3523 | Notiqoo – Order Notification & Customer Chat for WooCommerce | 52 | 11 | 187 | 1k+ | Non-prefixed global variable | ||
| #3524 | which template file | 52 | 19 | 12 | 4k+ | Output is not escaped | ||
| #3525 | Thank You Page Customizer for WooCommerce – Increase Your Sales | 52 | 5 | 249 | 4k+ | Non-prefixed global variable | ||
| #3526 | Bulk Actions Select All | 53 | 26 | 22 | 800 | Text Domain Mismatch | ||
| #3527 | Download PDF After Submit Form | 53 | 2 | 45 | 500 | Input is not sanitized | ||
| #3528 | Elegant Custom Fonts | 53 | 15 | 17 | 3k+ | Output is not escaped | ||
| #3529 | Export Custom Pages | 53 | 22 | 19 | 700 | Output is not escaped | ||
| #3530 | File Manager | 53 | 41 | 68 | 10k+ | Missing direct file access protection | ||
| #3531 | Focus Videos | 53 | 36 | 9 | 400 | Text Domain Mismatch | ||
| #3532 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #3533 | Multiple external product URLs for WooCommerce | 53 | 28 | 17 | 400 | Text Domain Mismatch | ||
| #3534 | Multiple Post Thumbnails | 53 | 25 | 18 | 20k+ | Output is not escaped | ||
| #3535 | ONTRApages | 53 | 16 | 27 | 1k+ | Output is not escaped | ||
| #3536 | Post Type Converter | 53 | 5 | 28 | 1k+ | Nonce verification recommended | ||
| #3537 | Preserved HTML Editor Markup | 53 | 12 | 22 | 600 | Output is not escaped | ||
| #3538 | Preserved HTML Editor Markup Plus | 53 | 12 | 22 | 3k+ | Output is not escaped | ||
| #3539 | Pure Metafields | 53 | 5 | 130 | 10k+ | Non-prefixed global variable | ||
| #3540 | Send Email From Admin | 53 | 27 | 13 | 700 | Text Domain Mismatch | ||
| #3541 | Simple Copy Post Button | 53 | 14 | 24 | 400 | Input is not sanitized | ||
| #3542 | Skroutz Analytics for WooCommerce | 53 | 57 | 15 | 1k+ | Text Domain Mismatch | ||
| #3543 | Social Media Widget | 53 | 90 | 21 | 30k+ | Text Domain Mismatch | ||
| #3544 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable | ||
| #3545 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #3546 | WP User Switch | 53 | 8 | 46 | 1k+ | Input is not sanitized | ||
| #3547 | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | 54 | 8 | 382 | 2k+ | Non-prefixed global variable | ||
| #3548 | Better Admin Bar | 54 | 27 | 63 | 3k+ | Non-prefixed global variable | ||
| #3549 | Blockskit | 54 | 33 | 29 | 8k+ | Text Domain Mismatch | ||
| #3550 | Boostify Header Footer Builder for Elementor | 54 | 419 | 55 | 7k+ | Text Domain Mismatch |