WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3801 | Mailchimp Widget by ProteusThemes | 66 | 17 | 9 | 1k+ | Output is not escaped | ||
| #3802 | Safe Redirect Manager | 66 | 9 | 60 | 40k+ | Non-prefixed hook name | ||
| #3803 | WP Simple Adsense Insertion | 66 | 3 | 29 | 3k+ | Input is not validated | ||
| #3804 | WP Multisite User Sync/Unsync | 66 | 15 | 31 | 700 | Missing Arg Domain | ||
| #3805 | Affiliates Manager Google reCAPTCHA Integration | 67 | 18 | 10 | 400 | Request data is not unslashed | ||
| #3806 | Custom CSS Pro | 67 | 17 | 6 | 7k+ | Output is not escaped | ||
| #3807 | Duplicate TEC Event | 67 | 12 | 10 | 900 | date date | ||
| #3808 | Dynamic Text Field For Contact Form 7 | 67 | 20 | 7 | 1k+ | Unsafe printing function | ||
| #3809 | Forget Spam Comment | 67 | 5 | 10 | 10k+ | Input is not sanitized | ||
| #3810 | Hide Page And Post Title | 67 | 11 | 8 | 40k+ | Output is not escaped | ||
| #3811 | Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize | 67 | 293 | 80 | 9k+ | Text Domain Mismatch | ||
| #3812 | Leadster | 67 | 6 | 10 | 4k+ | Non-prefixed function | ||
| #3813 | Manage Upload Types | 67 | 7 | 13 | 400 | Output is not escaped | ||
| #3814 | MetaTag | 67 | 7 | 13 | 600 | Input is not validated | ||
| #3815 | Notely | 67 | 6 | 17 | 600 | Non-prefixed function | ||
| #3816 | Per Page Sidebars | 67 | 12 | 11 | 900 | Input is not validated | ||
| #3817 | Safelayout Elegant Icons – WordPress icons | 67 | 3 | 17 | 700 | Input is not validated | ||
| #3818 | Shoutcast Icecast HTML5 Radio Player | 67 | 17 | 10 | 1k+ | Input is not validated | ||
| #3819 | Cart links for WooCommerce | 67 | 13 | 16 | 500 | Text Domain Mismatch | ||
| #3820 | BitPay Gateway for WooCommerce | 67 | 64 | 21 | 400 | Text Domain Mismatch | ||
| #3821 | Payment Gateway for Cpay with WooCommerce | 67 | 67 | 26 | 400 | wp function not compatible with requires wp | ||
| #3822 | WP Image Zoom | 67 | 30 | 46 | 10k+ | Non-prefixed global variable | ||
| #3823 | WP SMTP Mailer – SMTP7 | 67 | 2 | 33 | 9k+ | Request data is not unslashed | ||
| #3824 | WP Notification Bars | 67 | 13 | 32 | 10k+ | Request data is not unslashed | ||
| #3825 | Book Previewer for Woocommerce | 68 | 23 | 40 | 1k+ | Non-prefixed global variable | ||
| #3826 | Category Featured Images | 68 | 5 | 12 | 600 | Input is not sanitized | ||
| #3827 | Collapsing Categories | 68 | 29 | 8 | 4k+ | Missing direct file access protection | ||
| #3828 | Comment Approved | 68 | 6 | 14 | 500 | Input is not sanitized | ||
| #3829 | Desert Companion | 68 | 412 | 837 | 20k+ | Non-prefixed global variable | ||
| #3830 | Fatal Error Notify | 68 | 10 | 12 | 6k+ | Request data is not unslashed | ||
| #3831 | WCAG 2.0 form fields for Gravity Forms | 68 | 11 | 13 | 5k+ | Output is not escaped | ||
| #3832 | Hreflang Manager – Hreflang Implementation for International SEO | 68 | 21 | 15 | 8k+ | wp function not compatible with requires wp | ||
| #3833 | ミエルカヒートマップ タグマネージャー | 68 | 9 | 11 | 800 | Input is not validated | ||
| #3834 | News Magazine X Core | 68 | 63 | 30 | 5k+ | Missing Translators Comment | ||
| #3835 | Hide Title | 68 | 13 | 6 | 900 | Output is not escaped | ||
| #3836 | Protection Against DDoS | 68 | 22 | 5 | 3k+ | Output is not escaped | ||
| #3837 | Template List Metabox | 68 | 14 | 10 | 900 | Missing Arg Domain | ||
| #3838 | Increase Maximum Upload File Size | 68 | 28 | 14 | 40k+ | Missing Arg Domain | ||
| #3839 | Video Tab For WooCommerce | 68 | 7 | 13 | 600 | Missing nonce verification | ||
| #3840 | Age Gate | 69 | 61 | 139 | 40k+ | Missing direct file access protection | ||
| #3841 | Auto Update Post Date | 69 | 11 | 23 | 1k+ | Input is not validated | ||
| #3842 | CallRail Phone Call Tracking | 69 | 11 | 12 | 10k+ | Input is not validated | ||
| #3843 | Custom Category Template | 69 | 13 | 8 | 2k+ | Missing Arg Domain | ||
| #3844 | DOKU Payment | 69 | 53 | 46 | 500 | wp function not compatible with requires wp | ||
| #3845 | Email as Username for WP-Members | 69 | 15 | 8 | 700 | Text Domain Mismatch | ||
| #3846 | Embed Iframe | 69 | 25 | 6 | 2k+ | wp function not compatible with requires wp | ||
| #3847 | Google Plus Authorship | 69 | 6 | 15 | 1k+ | trademarked term | ||
| #3848 | Mailster WordPress Newsletter Plugin | 69 | 14 | 11 | 8k+ | Output is not escaped | ||
| #3849 | PDF.js Viewer | 69 | 14 | 38 | 20k+ | Non-prefixed global variable | ||
| #3850 | Scroll Down Arrow | 69 | 30 | 30 | 800 | Missing Arg Domain |