WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1351Waitlist Woocommerce ( Back in stock notifier )302723114k+Output is not escaped
#1352Checkout with Cash App on WooCommerce301223082k+Non-prefixed global variable
#1353Dropify301302522k+Nonce verification recommended
#1354Webling30147313500Input is not validated
#1355Widgetize Pages Light301451043k+Output is not escaped
#1356WonderPush – Web Push Notifications – WooCommerce Abandoned Cart – GDPR30152192600Missing direct file access protection
#1357Delivery & Pickup Date Time for WooCommerce304394355k+Non-prefixed global variable
#1358FOX – Currency Switcher Professional for WooCommerce302111,02250k+Non-prefixed global variable
#1359WooPayments: Integrated WooCommerce Payments30182308900k+Exception output is not escaped
#1360WooCommerce Tax (formerly WooCommerce Shipping & Tax)30103198600k+Non-prefixed class
#1361WP 2FA – Two-factor authentication for WordPress30269380100k+Exception output is not escaped
#1362WP Admin UI Customize3062939030k+Non-prefixed global variable
#1363WP Docs302682711k+Output is not escaped
#1364remarketable3028193600Output is not escaped
#1365WP Inventory Manager308562331k+Output is not escaped
#1366Photo Gallery Slideshow & Masonry Tiled Gallery308063521k+Output is not escaped
#1367WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA304842222k+Unsafe printing function
#1368WPS Cleaner3043049120k+Output is not escaped
#1369WPZOOM Addons for Beaver Builder302,2161524k+Text Domain Mismatch
#1370Yaad Sarig Payment Gateway For WC301582712k+Nonce verification recommended
#1371YASR – Yet Another Star Rating Plugin for WordPress3025237810k+Output is not escaped
#1372zahls.ch Credit Cards, PostFinance and TWINT for WooCommerce301212653k+Non-prefixed global variable
#1373Zoho CRM Lead Magnet301011,0253k+Request data is not unslashed
#1374a3 Lazy Load318324090k+Dynamic hook name
#1375ActiveCampaign – The autonomous marketing platform312359840k+Output is not escaped
#1376AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization31911332k+Output is not escaped
#1377Extra Product Options Builder for WooCommerce311131942k+Non-prefixed global variable
#1378Advanced Category Excluder31349160700Output is not escaped
#1379Advanced Woo Search – Product Search for WooCommerce3122837770k+Nonce verification recommended
#1380Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter315719650k+Nonce verification recommended
#1381Apaczka.pl WooCommerce31992761k+Non-prefixed global variable
#1382Asgaros Forum3116741210k+Output is not escaped
#1383The SEO Framework – Fast, Automated, Effortless.31363609200k+Non-prefixed global variable
#1384AI ChatBot with ChatGPT and Content Generator by AYS31170378400Non-prefixed global variable
#1385SEO合集(支持百度/Google/Bing/头条推送)31131,407800Direct Query
#1386Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam3159870700Text Domain Mismatch
#1387Яндекс Доставка (Boxberry)3146150600Missing nonce verification
#1388Buy Me a Coffee – Button and Widget Plugin311381406k+Output is not escaped
#1389CashBill.pl – Płatności WooCommerce31181101900Output is not escaped
#1390České služby pro WordPress31951391k+Output is not escaped
#1391cformsII317775364k+Unsafe printing function
#1392Newsletter Sign-Up for CleverReach31174722k+Output is not escaped
#1393CleverReach® WP31103934k+Non-prefixed global variable
#1394Co-marquage service-public.fr31842131k+Non-prefixed global variable
#1395Codeless Page Builder31415258900Text Domain Mismatch
#1396Colorbox Panels & Info Box313921821k+Non Singular String Literal Domain
#1397Compliance by Hu-manity.co31153335900k+Missing nonce verification
#1398Counter Number Showcase, Fun Facts – WordPress Animated Counter Plugin3125517010k+Non Singular String Literal Domain
#1399Crowdfundly31594402600Output is not escaped
#1400DirectoryPress Frontend31402563800Non-prefixed global variable