WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1301Colete-Online30776346600Text Domain Mismatch
#1302ContentBot AI Writer (AI Content)3031769500rand rand
#1303Cryptocurrency Donation Box – Bitcoin & Crypto Donations30334284500Output is not escaped
#1304DethemeKit for Elementor3033522830k+Output is not escaped
#1305EDI – Обмен данными между WooCommerce и 1С30284101600Text Domain Mismatch
#1306Easy Affiliate Links301861987k+Missing direct file access protection
#1307EasyParcel Shipping– All-in-one Shipping Solution, Real-Time Shipping Rates3031610600Non-prefixed global variable
#1308Edwiser Bridge – WordPress Moodle Integration3046694k+Non-prefixed hook name
#1309Element Invader – Template Kits for Elementor302741303k+Output is not escaped
#1310Email Templates Customizer and Designer for WordPress and WooCommerce3025034920k+Non-prefixed global variable
#1311Epeken All Kurir for Woocommerce305901,246500Missing nonce verification
#1312Eway Payment Gateway3050992800Missing Translators Comment
#1313Exclusive Addons for Elementor303,63026350k+Text Domain Mismatch
#1314Export Plugins and Templates30143331k+file system operations fread
#1315PiWeb Export Customers Users & Guest customer to CSV for WooCommerce30173751k+Text Domain Mismatch
#1316FormLift for Keap (Legacy) Web Forms30162315400Request data is not unslashed
#1317Formzu WP301671633k+Text Domain Mismatch
#1318Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant302642214k+Non Singular String Literal Text
#1319GlobalPayments Gateway Provider for WooCommerce306111701k+Text Domain Mismatch
#1320Import WooCommerce Suite for Products, Orders, Coupons, Reviews, and Customers | WP Ultimate CSV Importer30804344k+Interpolated SQL is not prepared
#1321Invisible reCaptcha for WordPress309018580k+Input is not sanitized
#1322core plugin for kitestudio themes30244415500Nonce verification recommended
#1323Midtrans-WooCommerce301121325k+Non-prefixed global variable
#1324Naver webmaster syndication v23089129500Output is not escaped
#1325Nova Blocks by Pixelgrade30206112800Output is not escaped
#1326Novelist304751581k+Output is not escaped
#1327OoohBoi Steroids for Elementor302,05910040k+Text Domain Mismatch
#1328Operation Demo Importer – Demo Importer For WPoperation Themes302451041k+Text Domain Mismatch
#1329PayU CommercePro Plugin30952707k+Text Domain Mismatch
#1330گرویتی فرم فارسی3020515720k+Text Domain Mismatch
#1331Pixelgrade Assistant301,3501532k+Text Domain Mismatch
#1332Popularis Extra302371417k+Output is not escaped
#1333Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget302311021k+Non Singular String Literal Domain
#1334Pre-Orders for WooCommerce305682617k+Output is not escaped
#1335Sync Master Sheet – Product Sync with Google Sheet for WooCommerce30136300400Non-prefixed global variable
#1336Pubjet | پاب‌جت30911721k+Output is not escaped
#1337Realbig For WordPress30365911k+Non-prefixed global variable
#1338Responsive Addons for Elementor – Free Elementor Addons, Kits and Elementor Templates30603873k+Non-prefixed global variable
#1339Rublon Multi-Factor Authentication (MFA)30216160500Output is not escaped
#1340StoreBuild – Online Store Builder for WooCommerce30120211600Non-prefixed global variable
#1341Sina Extension for Elementor303,69116040k+Text Domain Mismatch
#1342SMTP for Amazon SES – YaySMTP301971223k+Exception output is not escaped
#1343Subscriptions for WooCommerce3011,19010k+Non-prefixed global variable
#1344Taboola30891471k+Output is not escaped
#1345Tabs Responsive – With WooCommerce Product Tabs Extension3057525520k+Non Singular String Literal Domain
#1346Themify Portfolio Post3021410230k+Text Domain Mismatch
#1347Travelers' Map303111551k+Output is not escaped
#1348Tutor LMS Divi Modules304207221k+Non-prefixed global variable
#1349Urvanov Syntax Highlighter30221873k+Output is not escaped
#1350User Access Manager3039317110k+Output is not escaped