WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3701 | SHK Hide Title | 61 | 19 | 4 | 3k+ | Output is not escaped | ||
| #3702 | Slider Factory | 61 | 3 | 414 | 2k+ | Non-prefixed global variable | ||
| #3703 | SSL Certificate Manager | 61 | 14 | 7 | 600 | Output is not escaped | ||
| #3704 | Team Showcase | 61 | 1 | 125 | 1k+ | slow db query meta key | ||
| #3705 | Text Domain Inspector | 61 | 41 | 36 | 400 | Non-prefixed global variable | ||
| #3706 | Two Factor (2FA) Authentication via Email | 61 | 12 | 27 | 9k+ | Request data is not unslashed | ||
| #3707 | whatwedo ACF Cleaner | 61 | 8 | 20 | 800 | Input is not validated | ||
| #3708 | When Last Login – Export User Records | 61 | 18 | 13 | 500 | Output is not escaped | ||
| #3709 | Order Weight for WooCommerce | 61 | 24 | 34 | 600 | Text Domain Mismatch | ||
| #3710 | QR Code PicPay for WooCommerce | 61 | 15 | 25 | 600 | Non-prefixed global variable | ||
| #3711 | wp-cleanumlauts2 | 61 | 32 | 22 | 1k+ | Output is not escaped | ||
| #3712 | WP-CORS | 61 | 7 | 23 | 1k+ | error log error log | ||
| #3713 | WP Optin Wheel – Gamified Optin Email Marketing Tool for WordPress and WooCommerce | 61 | 22 | 74 | 1k+ | Non-prefixed global variable | ||
| #3714 | WP YouTube Player | 61 | 14 | 17 | 1k+ | Output is not escaped | ||
| #3715 | Add Meta Tag Keywords | 62 | 6 | 15 | 1k+ | Missing nonce verification | ||
| #3716 | AMP Contact FORM 7 – AMPCF7 | 62 | 9 | 13 | 500 | Input is not validated | ||
| #3717 | AMS Post And Page Duplicator | 62 | 14 | 13 | 600 | Text Domain Mismatch | ||
| #3718 | ARI Fancy Lightbox – Popup for WordPress | 62 | 8 | 107 | 10k+ | Non-prefixed namespace | ||
| #3719 | Bulk edit publish date | 62 | 11 | 16 | 1k+ | Nonce verification recommended | ||
| #3720 | Bulk Page Creator | 62 | 9 | 17 | 10k+ | Request data is not unslashed | ||
| #3721 | Carousel Slider | 62 | 71 | 30k+ | Non-prefixed global variable | |||
| #3722 | Christmas Panda | 62 | 14 | 45 | 400 | Input is not validated | ||
| #3723 | Dashboard Widget Sidebar | 62 | 9 | 16 | 400 | Input is not validated | ||
| #3724 | Devices for Elementor | 62 | 22 | 13 | 400 | Output is not escaped | ||
| #3725 | DreamHost Automated Migration | 62 | 15 | 23 | 20k+ | Output is not escaped | ||
| #3726 | Falcon – WordPress Optimizations & Tweaks | 62 | 47 | 66 | 2k+ | Short PHP open tag found | ||
| #3727 | Get Chat App | 62 | 10 | 62 | 400 | Request data is not unslashed | ||
| #3728 | Hestia Nginx Cache | 62 | 21 | 8 | 1k+ | Output is not escaped | ||
| #3729 | Import entries for Gravity Forms | 62 | 6 | 26 | 500 | Input is not validated | ||
| #3730 | MainWP Key Maker | 62 | 3 | 35 | 4k+ | Input is not sanitized | ||
| #3731 | Migrate To Liquid Web & Nexcess | 62 | 15 | 23 | 2k+ | Output is not escaped | ||
| #3732 | Nimbata Call Tracking | 62 | 13 | 11 | 400 | Non-prefixed function | ||
| #3733 | payOS | 62 | 19 | 26 | 500 | Request data is not unslashed | ||
| #3734 | Pressable Automated Migration | 62 | 15 | 23 | 3k+ | Output is not escaped | ||
| #3735 | Responsive Slider Gallery – Responsive Image Photo Slider | 62 | 32 | 122 | 2k+ | Non-prefixed global variable | ||
| #3736 | Easy SSL Plugin for SAKURA Rental Server | 62 | 23 | 17 | 50k+ | Input is not sanitized | ||
| #3737 | SEO Image Toolbox | 62 | 19 | 14 | 1k+ | Output is not escaped | ||
| #3738 | Single Post Template | 62 | 14 | 8 | 4k+ | Text Domain Mismatch | ||
| #3739 | Sitewide Notice WP | 62 | 6 | 13 | 3k+ | Output is not escaped | ||
| #3740 | Spam Comments Cleaner | 62 | 14 | 29 | 1k+ | Non-prefixed function | ||
| #3741 | WiserNotify – Social Proof & FOMO Notifications, WooCommerce Sales Popups, Reviews & Announcement Bar | 62 | 13 | 32 | 1k+ | Request data is not unslashed | ||
| #3742 | Satispay for WooCommerce | 62 | 19 | 12 | 7k+ | Exception output is not escaped | ||
| #3743 | WooCommerce Product Fees | 62 | 6 | 25 | 2k+ | Missing nonce verification | ||
| #3744 | WP Category Sort | 62 | 15 | 22 | 500 | Text Domain Mismatch | ||
| #3745 | WP Charts and Graphs – WordPress Chart Plugin | 62 | 8 | 29 | 1k+ | Input is not sanitized | ||
| #3746 | WP Downloader | 62 | 11 | 15 | 2k+ | Output is not escaped | ||
| #3747 | Wp Theme plugin Download | 62 | 11 | 16 | 2k+ | Output is not escaped | ||
| #3748 | Migrate to WordPress.com | 62 | 15 | 28 | 2k+ | Output is not escaped | ||
| #3749 | Automatic Featured Images from Videos | 63 | 13 | 13 | 7k+ | Missing direct file access protection | ||
| #3750 | Categories Images | 63 | 10 | 21 | 50k+ | wp function not compatible with requires wp |