WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized
Input is not validated or sanitized
Request data is used without both cleanup and an allowability check.
Why It Shows Up
The scan found a request value moving into code without sanitization and without validation.
Why It Matters
This combines two common input-handling failures: the value may contain unsafe content, and the code has not proven that the value is acceptable for the operation.
How to Fix
- Call `wp_unslash()` on request input first.
- Sanitize for the expected type or format.
- Validate against allowed values, ranges, capabilities, and nonces before using the value.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #151 | Social Photo Fetcher | 38 | 151 | 43 | 1k+ | Output is not escaped | ||
| #152 | GoodBarber | 38 | 38 | 73 | 1k+ | Nonce verification recommended | ||
| #153 | PDF Catalog for WooCommerce | 38 | 30 | 46 | 1k+ | Nonce verification recommended | ||
| #154 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | Missing direct file access protection | ||
| #155 | Culqi | 39 | 571 | 88 | 1k+ | Text Domain Mismatch | ||
| #156 | Permalink Manager for WooCommerce | 39 | 116 | 24 | 8k+ | Short PHP open tag found | ||
| #157 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #158 | WP Accessibility | 39 | 199 | 104 | 60k+ | Unsafe printing function | ||
| #159 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | Missing direct file access protection | ||
| #160 | Header Promo – Show Top Bar Message or Call to Action | 40 | 472 | 45 | 400 | Output is not escaped | ||
| #161 | Social Share Buttons & Analytics Plugin – GetSocial.io | 40 | 97 | 25 | 2k+ | Output is not escaped | ||
| #162 | Controlled Admin Access | 41 | 22 | 40 | 10k+ | Nonce verification recommended | ||
| #163 | OSS Aliyun | 41 | 19 | 40 | 3k+ | Request data is not unslashed | ||
| #164 | Simple Cache | 41 | 33 | 59 | 1k+ | Input is not sanitized | ||
| #165 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #166 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #167 | Outdooractive Embed | 45 | 70 | 18 | 400 | Text Domain Mismatch | ||
| #168 | Hangul font nanumgothic – google | 52 | 35 | 16 | 1k+ | Output is not escaped | ||
| #169 | WP Hooks Finder | 52 | 27 | 31 | 1k+ | Output is not escaped | ||
| #170 | Pluginception | 56 | 7 | 29 | 3k+ | Request data is not unslashed | ||
| #171 | AMP Contact FORM 7 – AMPCF7 | 62 | 9 | 13 | 500 | Input is not validated | ||
| #172 | User Switching | 63 | 2 | 47 | 200k+ | Nonce verification recommended | ||
| #173 | Block Archive.org via WordPress robots.txt | 72 | 9 | 8 | 500 | Output is not escaped | ||
| #174 | Robots.txt Editor | 72 | 10 | 7 | 10k+ | Input is not validated or sanitized | ||
| #175 | WP Fail2Ban Redux | 82 | 1 | 10 | 7k+ | trademarked term | ||
| #176 | LH Force Lowercase URLs | 90 | 4 | 3 | 2k+ | Input is not validated or sanitized |
