WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3601 | Kwayy HTML Sitemap | 56 | 13 | 19 | 6k+ | Missing nonce verification | ||
| #3602 | Free Live Chat Support | 56 | 9 | 20 | 600 | Output is not escaped | ||
| #3603 | Maya Business Plugin | 56 | 9 | 39 | 600 | Input is not validated | ||
| #3604 | Pluginception | 56 | 7 | 29 | 4k+ | Request data is not unslashed | ||
| #3605 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #3606 | Image Optimization For SEO | 56 | 116 | 69 | 3k+ | Non Singular String Literal Domain | ||
| #3607 | TextBuilder | 56 | 20 | 34 | 4k+ | Missing Arg Domain | ||
| #3608 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #3609 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #3610 | easy AMP | 56 | 10 | 24 | 600 | Input is not sanitized | ||
| #3611 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #3612 | BestWebSoft’s Pinterest | 57 | 490 | 176 | 500 | Text Domain Mismatch | ||
| #3613 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #3614 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #3615 | Disable Cart Fragments by Optimocha | 57 | 8 | 13 | 10k+ | Nonce verification recommended | ||
| #3616 | Easy GDPR Consent Forms – MailChimp | 57 | 72 | 22 | 500 | Text Domain Mismatch | ||
| #3617 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #3618 | APG Google Image Sitemap Feed | 57 | 36 | 33 | 900 | Non-prefixed global variable | ||
| #3619 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #3620 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #3621 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #3622 | Jquery Validation For Contact Form 7 | 57 | 16 | 19 | 9k+ | Missing direct file access protection | ||
| #3623 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #3624 | Monri Payments | 57 | 141 | 47 | 900 | Text Domain Mismatch | ||
| #3625 | My WordPress Login Logo | 57 | 28 | 36 | 10k+ | Non-prefixed global variable | ||
| #3626 | Plethora Plugins Tabs + Accordions | 57 | 44 | 10 | 2k+ | Output is not escaped | ||
| #3627 | Plugin Notes | 57 | 17 | 29 | 400 | Input is not validated | ||
| #3628 | Protected Posts Logout Button | 57 | 10 | 20 | 1k+ | Input is not sanitized | ||
| #3629 | Real-Time Find and Replace | 57 | 23 | 10 | 70k+ | Output is not escaped | ||
| #3630 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #3631 | Replain | 57 | 21 | 9 | 700 | Output is not escaped | ||
| #3632 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #3633 | Site Health Tool Manager | 57 | 13 | 5 | 1k+ | Unsafe printing function | ||
| #3634 | Responsive Slideshow – Photo Carousel | 57 | 1 | 74 | 2k+ | Non-prefixed global variable | ||
| #3635 | Timologia for WooCommerce | 57 | 75 | 22 | 3k+ | Text Domain Mismatch | ||
| #3636 | WP Adsterra Dashboard | 57 | 22 | 21 | 400 | wp function not compatible with requires wp | ||
| #3637 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | Not Allowed | ||
| #3638 | WP Wrapper | 57 | 13 | 29 | 600 | Input is not validated | ||
| #3639 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #3640 | Customization for WP SEO | 58 | 15 | 10 | 2k+ | Unsafe printing function | ||
| #3641 | Gutenverse Form – Contact Form Builder, Block Form & Booking Form | 58 | 17 | 48 | 10k+ | Nonce verification recommended | ||
| #3642 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch | ||
| #3643 | Houzez WooCommerce Addon | 58 | 22 | 21 | 4k+ | Missing Translators Comment | ||
| #3644 | Menu Swapper | 58 | 20 | 14 | 3k+ | Output is not escaped | ||
| #3645 | Nginx Cache | 58 | 12 | 8 | 10k+ | Unsafe printing function | ||
| #3646 | Remove CPT base | 58 | 15 | 16 | 10k+ | Input is not sanitized | ||
| #3647 | REVIEWS.io for WooCommerce | 58 | 71 | 161 | 1k+ | Non-prefixed global variable | ||
| #3648 | Safety Exit | 58 | 52 | 26 | 1k+ | Text Domain Mismatch | ||
| #3649 | Simple Back To Top | 58 | 15 | 43 | 3k+ | Non-prefixed global variable | ||
| #3650 | Simple CSS for widgets | 58 | 11 | 15 | 1k+ | Missing nonce verification |