WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3951 | WP Hide Dashboard | 75 | 6 | 10 | 2k+ | trademarked term | ||
| #3952 | WP-HTML-Compression | 75 | 7 | 22 | 1k+ | Input is not sanitized | ||
| #3953 | Aruba Fatturazione Elettronica | 76 | 34 | 700 | Missing nonce verification | |||
| #3954 | Cache External Scripts | 76 | 21 | 4 | 900 | Output is not escaped | ||
| #3955 | Input Masks for Contact Form 7 | 76 | 143 | 12 | 800 | wp function not compatible with requires wp | ||
| #3956 | PDF Flipbook Heyzine | 76 | 3 | 46 | 1k+ | Non-prefixed global variable | ||
| #3957 | Search Regex | 76 | 6 | 25 | 100k+ | Direct Query | ||
| #3958 | Smartideo | 76 | 8 | 3 | 1k+ | Output is not escaped | ||
| #3959 | Telephone Input For Contact Form 7 | 76 | 18 | 10 | 600 | Text Domain Mismatch | ||
| #3960 | WEN Featured Image | 76 | 1 | 18 | 3k+ | Input is not validated | ||
| #3961 | ACF Galerie 4 | 77 | 16 | 23 | 2k+ | Text Domain Mismatch | ||
| #3962 | Always Edit In HTML | 77 | 7 | 5 | 1k+ | Output is not escaped | ||
| #3963 | Backup/Restore Divi Theme Options | 77 | 8 | 8 | 700 | Input is not validated | ||
| #3964 | Canonical SEO Content Syndication WordPress Plugin | 77 | 4 | 8 | 400 | Missing nonce verification | ||
| #3965 | Color Your Bar | 77 | 5 | 10 | 400 | Input is not sanitized | ||
| #3966 | Custom HTML Block Extension | 77 | 8 | 13 | 7k+ | Missing direct file access protection | ||
| #3967 | Disable WP Registration Page Spam | 77 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #3968 | Dual Currency Display | 77 | 1 | 24 | 900 | Direct Query | ||
| #3969 | Ecomail | 77 | 7 | 13 | 1k+ | Non-prefixed global variable | ||
| #3970 | Internet Archive Wayback Machine Link Fixer | 77 | 2 | 22 | 1k+ | Database parameter is not escaped | ||
| #3971 | Shipping Zone Duplicator for WooCommerce | 77 | 10 | 14 | 800 | Nonce verification recommended | ||
| #3972 | Toggle wpautop | 77 | 4 | 15 | 9k+ | trademarked term | ||
| #3973 | Username | 77 | 5 | 8 | 700 | Deprecated function: screen_icon | ||
| #3974 | Lorem Ipsum Generator | 77 | 7 | 9 | 500 | Missing direct file access protection | ||
| #3975 | WP Upload Size | 77 | 6 | 14 | 2k+ | Non-prefixed function | ||
| #3976 | Booking System Trafft | 78 | 3 | 19 | 400 | Nonce verification recommended | ||
| #3977 | Forget About Shortcode Buttons | 78 | 11 | 25 | 20k+ | Missing direct file access protection | ||
| #3978 | Interact: Embed A Quiz On Your Site | 78 | 6 | 13 | 3k+ | Request data is not unslashed | ||
| #3979 | Layouts for Elementor | 78 | 27 | 1k+ | Non-prefixed global variable | |||
| #3980 | Layouts for WPBakery | 78 | 28 | 3k+ | Non-prefixed global variable | |||
| #3981 | LH HSTS | 78 | 3 | 12 | 600 | Input is not sanitized | ||
| #3982 | Post Order By Category | 78 | 1 | 12 | 900 | Missing nonce verification | ||
| #3983 | Rename XMLRPC | 78 | 7 | 3 | 1k+ | Output is not escaped | ||
| #3984 | RSS Includes Pages | 78 | 4 | 8 | 10k+ | Output is not escaped | ||
| #3985 | Run SQL Query | 78 | 13 | 8 | 600 | Non-prefixed global variable | ||
| #3986 | Thumbnails and Featured Images | 78 | 16 | 14 | 1k+ | Short PHP open tag found | ||
| #3987 | Tock Widget | 78 | 6 | 9 | 400 | Missing direct file access protection | ||
| #3988 | WP Faster | 78 | 7 | 12 | 1k+ | trademarked term | ||
| #3989 | Import / Export Customizer Settings | 79 | 5 | 13 | 50k+ | Input is not sanitized | ||
| #3990 | Contact Form 7 Get and Show Parameter from URL | 79 | 3 | 10 | 800 | Input is not sanitized | ||
| #3991 | Exclude Pages From Menu | 79 | 6 | 11 | 8k+ | Non-prefixed function | ||
| #3992 | Manage Privacy Options Page | 79 | 3 | 11 | 1k+ | Input is not validated | ||
| #3993 | Qi Addons For Elementor | 79 | 33 | 339 | 200k+ | Non-prefixed global variable | ||
| #3994 | Remove Category URL – Remove 'category' base from category permalinks | 79 | 5 | 8 | 50k+ | Missing direct file access protection | ||
| #3995 | WP Referral Code | 79 | 18 | 19 | 600 | Missing direct file access protection | ||
| #3996 | WPC Additional Variation Images for WooCommerce | 79 | 4 | 26 | 800 | Non-prefixed class | ||
| #3997 | Cost Calculator for Elementor | 80 | 223 | 17 | 500 | wp function not compatible with requires wp | ||
| #3998 | Docxpresso | 80 | 9 | 14 | 2k+ | Input is not sanitized | ||
| #3999 | Duo Universal | 80 | 6 | 25 | 2k+ | Nonce verification recommended | ||
| #4000 | Fluent PDF Generator | 80 | 102 | 6 | 20k+ | Text Domain Mismatch |