WordPress.Security.ValidatedSanitizedInput.InputNotValidated
Input is not validated
Request data is used without checking that it is allowed for the operation.
Why It Shows Up
The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.
Why It Matters
Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.
How to Fix
- Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
- Pair state-changing requests with nonce and capability checks.
- Reject or safely default values that do not pass validation.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4001 | Plugin Toggle | 80 | 2 | 12 | 500 | Nonce verification recommended | ||
| #4002 | WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo | 80 | 5 | 14 | 9k+ | wp function not compatible with requires wp | ||
| #4003 | Smart Passworded Pages | 80 | 11 | 8 | 2k+ | wp function not compatible with requires wp | ||
| #4004 | Melapress File Monitor | 80 | 16 | 90 | 6k+ | Non-prefixed global variable | ||
| #4005 | Mini Cart Drawer For WooCommerce | 80 | 4 | 25 | 500 | Non-prefixed hook name | ||
| #4006 | Auto iFrame | 81 | 2 | 11 | 3k+ | Input is not sanitized | ||
| #4007 | Block Visibility — Conditional Visibility Control for the Block Editor | 81 | 7 | 11 | 40k+ | Input is not sanitized | ||
| #4008 | Change Permalink Helper | 81 | 5 | 5 | 900 | Direct Query | ||
| #4009 | Nice Search | 81 | 4 | 5 | 900 | Input is not sanitized | ||
| #4010 | Order Approval for Woocommerce | 81 | 3 | 208 | 1k+ | Non-prefixed global variable | ||
| #4011 | Portfolio Block – The Ultimate Project & Portfolio Builder | 81 | 6 | 5 | 800 | Offloaded Content | ||
| #4012 | Post Type Archive Descriptions | 81 | 11 | 4 | 1k+ | Missing direct file access protection | ||
| #4013 | Orphans | 81 | 1 | 43 | 50k+ | Dynamic hook name | ||
| #4014 | Telephone field for Gravity Forms | 81 | 124 | 9 | 400 | wp function not compatible with requires wp | ||
| #4015 | Appointment Bookings for Zoom GoogleMeet and more – Wappointment | 81 | 22 | 52 | 1k+ | Non-prefixed class | ||
| #4016 | Advance Canonical URL | 82 | 3 | 10 | 1k+ | Input is not validated | ||
| #4017 | Catch Gallery | 82 | 1 | 35 | 10k+ | Non-prefixed hook name | ||
| #4018 | Gallery for Google Photos – Import and Showcase Photo Albums | 82 | 2 | 16 | 1k+ | Input is not validated | ||
| #4019 | Hostinger Tools | 82 | 13 | 22 | 3m+ | wp function not compatible with requires wp | ||
| #4020 | Independent Analytics for MainWP | 82 | 7 | 13 | 700 | Nonce verification recommended | ||
| #4021 | Lazy Load for Videos | 82 | 6 | 37 | 9k+ | Non-prefixed constant | ||
| #4022 | Multiple Form Instances Add-on for Gravity Forms | 82 | 5 | 5 | 800 | Missing direct file access protection | ||
| #4023 | Simple ads.txt | 82 | 8 | 6 | 1k+ | Missing direct file access protection | ||
| #4024 | Tabs in Post Editor | 82 | 4 | 7 | 500 | Input is not validated | ||
| #4025 | Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products | 82 | 6 | 10 | 2k+ | Missing nonce verification | ||
| #4026 | WP Fail2Ban Redux | 82 | 1 | 10 | 7k+ | trademarked term | ||
| #4027 | WP Mail From II | 82 | 3 | 7 | 5k+ | trademarked term | ||
| #4028 | Admin in English | 83 | 4 | 7 | 1k+ | Input is not sanitized | ||
| #4029 | Browser Theme Color | 83 | 4 | 2 | 2k+ | Output is not escaped | ||
| #4030 | Check Conflicts | 83 | 36 | 12 | 1k+ | Missing Arg Domain | ||
| #4031 | Max upload filesize | 83 | 3 | 8 | 9k+ | Input is not validated | ||
| #4032 | Media Player Addons for Elementor – Audio and Video Widgets for Elementor | 83 | 1 | 8 | 1k+ | Nonce verification recommended | ||
| #4033 | Relevanssi Light | 83 | 3 | 23 | 600 | Direct Query | ||
| #4034 | RumbleTalk Live Group Chat – HTML5 | 83 | 9 | 13 | 700 | Missing direct file access protection | ||
| #4035 | Swipe Slider – Make dynamic slider with solid, gradient, or image background | 83 | 2 | 15 | 3k+ | Non-prefixed global variable | ||
| #4036 | Term Duplicator | 83 | 5 | 6 | 500 | Input is not sanitized | ||
| #4037 | SKU Label Changer For WooCommerce | 83 | 8 | 11 | 700 | Missing direct file access protection | ||
| #4038 | AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations | 84 | 88 | 20 | 3k+ | Text Domain Mismatch | ||
| #4039 | BinancePay Checkout for WooCommerce | 84 | 5 | 14 | 800 | Input is not validated | ||
| #4040 | Cache Buster | 84 | 5 | 6 | 400 | Input is not sanitized | ||
| #4041 | Change Admin Email | 84 | 4 | 4 | 50k+ | Missing nonce verification | ||
| #4042 | Duplicate taxonomy terms and ACF fields | 84 | 3 | 8 | 500 | Input is not validated | ||
| #4043 | JWT Authentication for WP REST API | 84 | 27 | 41 | 60k+ | wp function not compatible with requires wp | ||
| #4044 | Safelayout Cute Preloader – CSS3 WordPress Preloader | 84 | 3 | 14 | 10k+ | Input is not validated | ||
| #4045 | Search by ID | 84 | 3 | 5 | 700 | Input is not sanitized | ||
| #4046 | WP Force Lowercase URLs | 84 | 2 | 9 | 6k+ | trademarked term | ||
| #4047 | WP Link Preview | 84 | 4 | 9 | 500 | trademarked term | ||
| #4048 | Backlinks Saver | 85 | 3 | 5 | 3k+ | Deprecated parameter value found | ||
| #4049 | Popups – Submission Messages For Contact Form 7 | 85 | 2 | 7 | 3k+ | Input is not sanitized | ||
| #4050 | Easy UTM Tracking with Contact Form 7 | 85 | 3 | 10 | 2k+ | Input is not validated |