WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3851 | Scroll Down Arrow | 69 | 30 | 30 | 800 | Missing Arg Domain | ||
| #3852 | Shoppable Social Media Galleries by Sauce | 69 | 13 | 13 | 2k+ | Non-prefixed function | ||
| #3853 | Easy Username Updater | 69 | 19 | 28 | 10k+ | Missing Arg Domain | ||
| #3854 | VWE – Voorheen Autodealers.nl | 69 | 23 | 10 | 500 | curl curl setopt | ||
| #3855 | Checkfront Online Booking System | 70 | 32 | 16 | 2k+ | wp function not compatible with requires wp | ||
| #3856 | Lead info with country for Contact Form 7 | 70 | 25 | 28 | 3k+ | Text Domain Mismatch | ||
| #3857 | ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators | 70 | 9 | 12 | 800 | Output is not escaped | ||
| #3858 | Gutenberg Blocks Templates – 50+ Free Gutenberg Block Designs | 70 | 2 | 23 | 700 | Request data is not unslashed | ||
| #3859 | Free Gift Product For WooCommerce | 70 | 9 | 77 | 800 | Non-prefixed global variable | ||
| #3860 | Multipart robots.txt editor | 70 | 19 | 8 | 1k+ | Output is not escaped | ||
| #3861 | Press This | 70 | 1 | 44 | 5k+ | Non-prefixed hook name | ||
| #3862 | Purchased Items Column for WooCommerce Orders | 70 | 10 | 8 | 800 | Output is not escaped | ||
| #3863 | Remove Taxonomy Base Slug | 70 | 12 | 18 | 5k+ | Deprecated parameter: get_terms parameter 2 | ||
| #3864 | Search and Replace | 70 | 7 | 9 | 10k+ | Input is not sanitized | ||
| #3865 | Show-Hide / Collapse-Expand | 70 | 18 | 15 | 10k+ | Missing direct file access protection | ||
| #3866 | Show IP address | 70 | 6 | 20 | 1k+ | Input is not sanitized | ||
| #3867 | Simple Post Notes | 70 | 5 | 16 | 9k+ | Request data is not unslashed | ||
| #3868 | SubHeading | 70 | 22 | 13 | 1k+ | Non Singular String Literal Domain | ||
| #3869 | User Location and IP | 70 | 2 | 25 | 400 | Input is not sanitized | ||
| #3870 | Block Emails & Addresses for WooCommerce Checkout | 70 | 4 | 12 | 700 | error log set error handler | ||
| #3871 | Bulk Price Update for Woocommerce | 70 | 2 | 28 | 2k+ | Request data is not unslashed | ||
| #3872 | Related Products for WooCommerce | 70 | 12 | 12 | 3k+ | Setting is missing a sanitization callback | ||
| #3873 | Yampi Checkout | 70 | 6 | 10 | 900 | Nonce verification recommended | ||
| #3874 | Add Any Extension to Pages | 71 | 3 | 10 | 2k+ | Input is not sanitized | ||
| #3875 | Another Mailchimp Widget | 71 | 28 | 17 | 4k+ | Missing Translators Comment | ||
| #3876 | Contact Form 7 Confirm Email Field | 71 | 35 | 11 | 2k+ | Text Domain Mismatch | ||
| #3877 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non-prefixed function | ||
| #3878 | Repeater Fields for WPForms | 71 | 173 | 18 | 500 | wp function not compatible with requires wp | ||
| #3879 | WindPress – Tailwind CSS integration for WordPress | 71 | 16 | 106 | 3k+ | Non-prefixed hook name | ||
| #3880 | Woorise – Landing Pages, Forms & Surveys | 71 | 8 | 14 | 1k+ | Input is not sanitized | ||
| #3881 | Multi-Step Checkout for WooCommerce | 71 | 38 | 104 | 8k+ | Non-prefixed global variable | ||
| #3882 | WP Widget in Navigation | 71 | 37 | 15 | 3k+ | Non Singular String Literal Domain | ||
| #3883 | Zapier for WordPress | 71 | 11 | 21 | 50k+ | Input is not sanitized | ||
| #3884 | Web Accessibility by accessiBe | 72 | 1 | 25 | 10k+ | Input is not sanitized | ||
| #3885 | Amazing Affiliates – Toolkit for Amazon Associates with Amazon Product Blocks and Amazon PAAPI5 / Creators API integration | 72 | 3 | 650 | 600 | Non-prefixed global variable | ||
| #3886 | Archiiv | 72 | 6 | 30 | 400 | Non-prefixed global variable | ||
| #3887 | BB Delete cache | 72 | 3 | 15 | 1k+ | Input is not sanitized | ||
| #3888 | Block Archive.org via WordPress robots.txt | 72 | 9 | 8 | 400 | Output is not escaped | ||
| #3889 | Chap Secure Password Login | 72 | 13 | 7 | 600 | Input is not validated | ||
| #3890 | Contact Form 7 Leads Tracking | 72 | 3 | 23 | 600 | Input is not sanitized | ||
| #3891 | PowerBI Embed Reports | 72 | 3 | 20 | 500 | Nonce verification recommended | ||
| #3892 | Keyword Research Tool | 72 | 9 | 11 | 700 | Input is not validated | ||
| #3893 | Login Logout Menu | 72 | 7 | 20 | 20k+ | Input is not sanitized | ||
| #3894 | Media File Sizes | 72 | 14 | 5 | 1k+ | Output is not escaped | ||
| #3895 | Media Library Organizer – Folders, File Manager & Media Categories | 72 | 20 | 130 | 20k+ | Non-prefixed global variable | ||
| #3896 | Minimal Maintenance Mode | 72 | 1 | 20 | 600 | Missing nonce verification | ||
| #3897 | Non-Purchasable WooCommerce Products | 72 | 14 | 13 | 1k+ | Input is not validated | ||
| #3898 | Advanced Datepicker – Restricts Date for Contact Form 7 | 72 | 228 | 11 | 400 | wp function not compatible with requires wp | ||
| #3899 | Root Relative URLs | 72 | 9 | 10 | 6k+ | Input is not sanitized | ||
| #3900 | Simple Local Avatars | 72 | 14 | 16 | 100k+ | Non-prefixed constant |