WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1201WP YouTube Lyte2820417830k+Non-prefixed global variable
#1202WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce281772265k+Output is not escaped
#1203WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)2820921710k+Exception output is not escaped
#1204WPS Bidouille2847221510k+Output is not escaped
#1205WP Synchro – The Ultimate WordPress Migration Tool282432442k+Missing Translators Comment
#1206WxSync-标准云微信公众号文章免费采集-任意公众号自动采集付费购买2857138500Request data is not unslashed
#1207Accordion Slider293914472k+Unsafe printing function
#1208Accordion Slider Gallery293791421k+Text Domain Mismatch
#1209Advance coupon for WooCommerce29472241900Text Domain Mismatch
#1210Adminimize29296691200k+Non-prefixed global variable
#1211AL Pack29138162k+Non-prefixed global variable
#1212Alt Text AI – Automatically generate image alt text for SEO and accessibility297228020k+Non-prefixed global variable
#1213AppPresser – Mobile App Framework292622141k+Text Domain Mismatch
#1214aThemeArt Theme Helper292061512k+Non-prefixed global variable
#1215Attribute Stock for WooCommerce – Shared Stock & Variable Quantities (Lite Version)294813132k+Text Domain Mismatch
#1216Better Google Analytics293768692k+Non-prefixed global variable
#1217Bitcoin Payments – Blockonomics292082272k+Output is not escaped
#1218Plugin BlueX for WooCommerce294312162k+Text Domain Mismatch
#1219Branded Social Images – Open Graph Images with logo and extra text layer2925492900Non Singular String Literal Domain
#1220Businessx Extensions293375291k+Non-prefixed function
#1221Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms292363692k+Non-prefixed global variable
#1222Chained Quiz291,1327211k+Text Domain Mismatch
#1223CloudSecure WP Security2974350100k+Request data is not unslashed
#1224Countdown, Coming Soon, Maintenance – Countdown & Clock291,73514310k+Non Singular String Literal Domain
#1225WPCS – WordPress Currency Switcher Professional2984358900Non-prefixed global variable
#1226Custom Field Template2956853030k+wp function not compatible with requires wp
#1227DB Cache Reloaded Fix29133422k+Output is not escaped
#1228Di Themes Demo Site Importer293431831k+Text Domain Mismatch
#1229Display Tweets29135135900Non-prefixed global variable
#1230Document Gallery29183988k+Output is not escaped
#1231DoLogin Security293123057k+Output is not escaped
#1232Interactive Image Map Plugin – Draw Attention2962022720k+Output is not escaped
#1233Everest Toolkit291451411k+Missing Translators Comment
#1234Advanced Shipping Rates for WooCommerce: Flexible Table Rate Shipping Rules291855042k+Non-prefixed global variable
#1235FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider297478600k+Missing Translators Comment
#1236Getwid – Gutenberg Blocks2913917350k+Non-prefixed global variable
#1237Gianism29391154700Text Domain Mismatch
#1238reCaptcha by BestWebSoft29474272100k+Text Domain Mismatch
#1239Easy HTTPS Redirection (SSL)29266152100k+Unsafe printing function
#1240Interactive World Map296843411k+Text Domain Mismatch
#1241Wishlist for WooCommerce29610296600Output is not escaped
#1242Kits, Templates and Patterns29380915k+Text Domain Mismatch
#1243Laposta WooCommerce2996115500Non-prefixed global variable
#1244Login Me Now – Passwordless, Magic Link, OTP & Social Login for WordPress2986233500Nonce verification recommended
#1245miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn)299289810k+Request data is not unslashed
#1246Music Player for WooCommerce291061551k+Non-prefixed global variable
#1247MyWorks Sync for WooCommerce & Xero2911,080800Non-prefixed global variable
#1248Offload Media – Cloud Storage29126801k+unlink unlink
#1249Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization2980162200k+Nonce verification recommended
#1250Page Restrict for WooCommerce29579374700Text Domain Mismatch