WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3901 | Media Library Organizer – Folders, File Manager & Media Categories | 72 | 20 | 130 | 20k+ | Non-prefixed global variable | ||
| #3902 | Minimal Maintenance Mode | 72 | 1 | 20 | 600 | Missing nonce verification | ||
| #3903 | Non-Purchasable WooCommerce Products | 72 | 14 | 13 | 1k+ | Input is not validated | ||
| #3904 | Advanced Datepicker – Restricts Date for Contact Form 7 | 72 | 228 | 11 | 400 | wp function not compatible with requires wp | ||
| #3905 | Root Relative URLs | 72 | 9 | 10 | 6k+ | Input is not sanitized | ||
| #3906 | Simple Local Avatars | 72 | 14 | 16 | 100k+ | Non-prefixed constant | ||
| #3907 | Connect Polylang for Elementor | 73 | 1 | 21 | 100k+ | Nonce verification recommended | ||
| #3908 | Contact Form to Brevo | 73 | 67 | 11 | 1k+ | Text Domain Mismatch | ||
| #3909 | Email Test – Check if your emails are being delivered | 73 | 8 | 7 | 1k+ | Exception output is not escaped | ||
| #3910 | Emergency password reset | 73 | 56 | 14 | 800 | wp function not compatible with requires wp | ||
| #3911 | Export Media Library | 73 | 5 | 5 | 30k+ | Output is not escaped | ||
| #3912 | Hide WP Toolbar | 73 | 4 | 13 | 1k+ | trademarked term | ||
| #3913 | Meta Description | 73 | 5 | 9 | 400 | Input is not validated | ||
| #3914 | Multifile Upload Field for Contact Form 7 | 73 | 41 | 7 | 5k+ | Text Domain Mismatch | ||
| #3915 | Permalinks Moved Permanently | 73 | 7 | 7 | 700 | Database parameter is not escaped | ||
| #3916 | Plugin Groups | 73 | 16 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #3917 | POKY – Product Importer | 73 | 6 | 12 | 700 | Input is not validated | ||
| #3918 | Product Bundles – Bulk Discounts | 73 | 31 | 7 | 600 | Text Domain Mismatch | ||
| #3919 | Server-Side Cache AutoPurge | 73 | 16 | 17 | 10k+ | Text Domain Mismatch | ||
| #3920 | Under Construction Light | 73 | 13 | 8 | 1k+ | Text Domain Mismatch | ||
| #3921 | WEN Skill Charts | 73 | 23 | 600 | Request data is not unslashed | |||
| #3922 | Zoho SalesIQ – Live chat, chatbots, and visitor tracking | 73 | 11 | 9 | 20k+ | Input is not validated | ||
| #3923 | Bing URL Submissions Plugin | 74 | 10 | 38 | 40k+ | error log error log | ||
| #3924 | Buy Now Button for WooCommerce | 74 | 9 | 11 | 2k+ | Nonce verification recommended | ||
| #3925 | Signature Field For Contact Form 7 – CF7Sign | 74 | 9 | 12 | 700 | Missing Translators Comment | ||
| #3926 | Comment Approved Notifier Extended | 74 | 5 | 10 | 500 | Output is not escaped | ||
| #3927 | Custom Icons for Elementor and WPBakery | 74 | 35 | 38 | 10k+ | Non-prefixed global variable | ||
| #3928 | Contact Form 7 Email Validation | 74 | 8 | 10 | 1k+ | Input is not validated | ||
| #3929 | EmailKit – Email Customizer for WooCommerce & WP | 74 | 17 | 82 | 70k+ | slow db query meta query | ||
| #3930 | Free Shipping Label and Progress Bar for WooCommerce | 74 | 60 | 5k+ | Non-prefixed hook name | |||
| #3931 | Keon Toolset | 74 | 4 | 28 | 30k+ | Non-prefixed function | ||
| #3932 | Plugin Notes Plus | 74 | 2 | 42 | 9k+ | Non-prefixed hook name | ||
| #3933 | Email Deliverability – SMTP Replacement, Email API Deliverability & Email Log | 74 | 8 | 23 | 200k+ | Output is not escaped | ||
| #3934 | Widgets in Menu for WordPress | 74 | 16 | 12 | 8k+ | Text Domain Mismatch | ||
| #3935 | Force Login | 74 | 5 | 8 | 30k+ | Output is not escaped | ||
| #3936 | Acumbamail | 75 | 7 | 36 | 1k+ | Non-prefixed global variable | ||
| #3937 | Admin Locale | 75 | 12 | 10 | 6k+ | Missing Arg Domain | ||
| #3938 | Bulk Comments Management | 75 | 6 | 25 | 700 | Direct Query | ||
| #3939 | Custom field finder | 75 | 9 | 3 | 2k+ | Output is not escaped | ||
| #3940 | Custom Adobe Fonts (Typekit) | 75 | 11 | 33 | 60k+ | Non-prefixed global variable | ||
| #3941 | En Spam | 75 | 21 | 6 | 500 | wp function not compatible with requires wp | ||
| #3942 | Gifty | 75 | 38 | 7 | 400 | wp function not compatible with requires wp | ||
| #3943 | Hide Categories and Products for Woocommerce | 75 | 1 | 20 | 10k+ | Input is not sanitized | ||
| #3944 | Honeypot Anti Spam for Forminator Forms | 75 | 4 | 7 | 1k+ | Missing nonce verification | ||
| #3945 | Open Graph Protocol Framework | 75 | 17 | 12 | 3k+ | Missing direct file access protection | ||
| #3946 | OXY Re-Login Window | 75 | 5 | 7 | 500 | Missing Version | ||
| #3947 | reCAPTCHA for bbPress | 75 | 14 | 19 | 800 | Non-prefixed function | ||
| #3948 | Registration Form for WooCommerce | 75 | 5 | 42 | 900 | Non-prefixed global variable | ||
| #3949 | Matterport Shortcode | 75 | 21 | 30 | 3k+ | Text Domain Mismatch | ||
| #3950 | Simple SMTP by Maileroo | 75 | 40 | 8 | 700 | Text Domain Mismatch |