WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3751 | Creative Clans Embed Script | 63 | 10 | 9 | 600 | Input is not sanitized | ||
| #3752 | Email Post Changes | 63 | 43 | 8 | 500 | Missing Arg Domain | ||
| #3753 | Happierleads – Identify your B2B website visitors even if they work remotely | 63 | 32 | 7 | 600 | wp function not compatible with requires wp | ||
| #3754 | Hide Admin Bar From Front End | 63 | 8 | 17 | 1k+ | Input is not validated | ||
| #3755 | Image Sitemap | 63 | 11 | 14 | 400 | Output is not escaped | ||
| #3756 | IndexNow Plugin | 63 | 14 | 91 | 100k+ | error log error log | ||
| #3757 | Missed Scheduled Posts Publisher by WPBeginner | 63 | 16 | 17 | 30k+ | Text Domain Mismatch | ||
| #3758 | One Tap Google Sign in | 63 | 6 | 30 | 900 | Request data is not unslashed | ||
| #3759 | Simple Membership After Login Redirection | 63 | 4 | 24 | 10k+ | Missing nonce verification | ||
| #3760 | Slightly troublesome permalink | 63 | 24 | 10 | 1k+ | Non Singular String Literal Domain | ||
| #3761 | UniqueID for Contact Form 7 | 64 | 21 | 18 | 2k+ | Text Domain Mismatch | ||
| #3762 | CV Demo Importer | 64 | 21 | 95 | 400 | Non-prefixed global variable | ||
| #3763 | Download Theme | 64 | 18 | 20 | 4k+ | wp function not compatible with requires wp | ||
| #3764 | Estonian Shipping Methods for WooCommerce | 64 | 97 | 16 | 1k+ | Text Domain Mismatch | ||
| #3765 | Evermore | 64 | 8 | 12 | 1k+ | Input is not validated | ||
| #3766 | Favicon XT-Manager | 64 | 9 | 12 | 2k+ | Output is not escaped | ||
| #3767 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | ||
| #3768 | Stancer for WooCommerce | 64 | 2 | 108 | 400 | Non-prefixed global variable | ||
| #3769 | WP REST Cache | 64 | 11 | 113 | 10k+ | Direct Query | ||
| #3770 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized | ||
| #3771 | Custom Global Variables | 65 | 14 | 12 | 5k+ | Output is not escaped | ||
| #3772 | Dojo for WooCommerce | 65 | 71 | 13 | 800 | Text Domain Mismatch | ||
| #3773 | EDD Hide Download | 65 | 13 | 13 | 600 | Output is not escaped | ||
| #3774 | Email Tracker | 65 | 25 | 4 | 800 | SQL query is not prepared | ||
| #3775 | Live Chat with Messenger Customer Chat | 65 | 10 | 23 | 3k+ | Input is not sanitized | ||
| #3776 | Futy.io Leadbots | 65 | 73 | 9 | 2k+ | wp function not compatible with requires wp | ||
| #3777 | HTACCESS IP Blocker | 65 | 5 | 14 | 2k+ | Missing nonce verification | ||
| #3778 | Multi Image Metabox | 65 | 17 | 8 | 6k+ | Output is not escaped | ||
| #3779 | Read More Excerpt Link | 65 | 19 | 8 | 3k+ | Output is not escaped | ||
| #3780 | Redirect 404 to Home Page – Custom URL | 65 | 7 | 11 | 4k+ | Output is not escaped | ||
| #3781 | Slider Revolution Search Replace | 65 | 5 | 14 | 900 | Input is not validated | ||
| #3782 | Web and WooCommerce Addons for WPBakery Builder | 65 | 497 | 123 | 1k+ | Text Domain Mismatch | ||
| #3783 | VK Link Target Controller | 65 | 13 | 10 | 30k+ | Output is not escaped | ||
| #3784 | ACF: Rus-To-Lat | 66 | 15 | 11 | 2k+ | Output is not escaped | ||
| #3785 | Bulk Term Generator – Import multiple tags, categories, and taxonomies easily | 66 | 8 | 31 | 2k+ | Request data is not unslashed | ||
| #3786 | Calculated fields for ACF | 66 | 5 | 18 | 1k+ | Non-prefixed global variable | ||
| #3787 | Social comments by WpDevArt | 66 | 9 | 19 | 8k+ | Missing Version | ||
| #3788 | Cookie Warning | 66 | 14 | 15 | 700 | Non-prefixed function | ||
| #3789 | Custom Author Byline | 66 | 11 | 8 | 500 | Output is not escaped | ||
| #3790 | Debug Log Manager – Conveniently Monitor and Inspect Errors | 66 | 33 | 44 | 10k+ | Input is not validated | ||
| #3791 | Duplicate Menu | 66 | 11 | 7 | 100k+ | Unsafe printing function | ||
| #3792 | Elementic | 66 | 22 | 9 | 900 | Text Domain Mismatch | ||
| #3793 | FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration | 66 | 26 | 30 | 6k+ | Missing direct file access protection | ||
| #3794 | Goaffpro Affiliate Marketing | 66 | 6 | 28 | 4k+ | Nonce verification recommended | ||
| #3795 | Hide Title | 66 | 13 | 6 | 30k+ | Output is not escaped | ||
| #3796 | HiFi (Head Injection, Foot Injection) | 66 | 13 | 11 | 2k+ | Output is not escaped | ||
| #3797 | IranDargah Payment Gateway for Woocommerce | 66 | 66 | 26 | 400 | Text Domain Mismatch | ||
| #3798 | Leadpages | 66 | 6 | 62 | 10k+ | Direct Query | ||
| #3799 | Page Meta | 66 | 26 | 14 | 700 | Missing Arg Domain | ||
| #3800 | Product Code for WooCommerce | 66 | 13 | 54 | 1k+ | Missing direct file access protection |