WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1401Domain Mapping System | Create Microsites with Multiple Alias Domains (multisite optional)311132332k+Non-prefixed namespace
#1402Download Plugin317810260k+Output is not escaped
#1403Up2pay e-Transactions WooCommerce Payment Gateway314591754k+Text Domain Mismatch
#1404Easy Upload Files During Checkout31220208500Unsafe printing function
#1405EnvoThemes Demo Import312211403k+Output is not escaped
#1406Export Order Items for WooCommerce311001081k+Text Domain Mismatch
#1407Express Checkout via PayPal for WooCommerce31158200800Nonce verification recommended
#1408افزونه پیامک حرفه ای فراز اس ام اس31891802k+wp function not compatible with requires wp
#1409FastDup – Fastest WordPress Migration & Duplicator3183665k+wp function not compatible with requires wp
#1410Form Vibes – Database Manager for Forms3117628410k+Text Domain Mismatch
#1411FraudLabs Pro for WooCommerce311692131k+Request data is not unslashed
#1412g-FFL Checkout31249300600Request data is not unslashed
#1413WP Gravity Forms Constant Contact Plugin31684164600Text Domain Mismatch
#1414GS Pinterest Portfolio – Pins Grid, Masonry, User Profile, Popup & Board Widgets314021561k+Text Domain Mismatch
#1415HFD ePost Integration311861101k+Text Domain Mismatch
#1416OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy.3121362300k+Output is not escaped
#1417Image Hotspot – Map Image Annotation31952873k+Non-prefixed global variable
#1418ImgSEO – AI Image Alt Text Generator & Image SEO Tools311677400Direct Query
#1419Interactive Image Map Builder311603811k+Non-prefixed global variable
#1420Kindeditor For WordPress3163130500Non-prefixed global variable
#1421Linguise – AI Automatic Multilingual Translation31612841k+Non-prefixed global variable
#1422Keywords to Links Converter31288144700Text Domain Mismatch
#1423Login rebuilder3140622620k+Non Singular String Literal Domain
#1424Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity311221312k+Output is not escaped
#1425LWS Tools3110413410k+Request data is not unslashed
#1426Mailgun for WordPress311447880k+Unsafe printing function
#1427MainWP Dashboard: Self-hosted WordPress Management for Agencies319531720k+Interpolated SQL is not prepared
#1428Melapress Login Security31692782k+Non-prefixed global variable
#1429Openpay Cards Plugin311661053k+Text Domain Mismatch
#1430PanoPress311112342k+Output is not escaped
#1431Patreon WordPress312763393k+Output is not escaped
#1432PayKeeper Payment Gateway for WooCommerce3111344400Non Singular String Literal Domain
#1433افزونه پیامک ووکامرس Persian WooCommerce SMS317226940k+Nonce verification recommended
#1434Podamibe Simple Footer Widget Area31596572k+wp function not compatible with requires wp
#1435Pop-up311039110k+Output is not escaped
#1436Portfolio, Gallery, Product Catalog – Grid KIT Portfolio31613296k+Non-prefixed global variable
#1437Post Pay Counter316392381k+Output is not escaped
#1438Product Configurator for WooCommerce31415573k+Non-prefixed hook name
#1439Active Products Tables for WooCommerce. Use constructor to create tables313644241k+Output is not escaped
#1440Qode Essential Addons315529510k+Non-prefixed global variable
#1441Query Monitor3144273200k+Non-prefixed class
#1442Raffle Play Woocommerce31151199800Output is not escaped
#1443Re:amaze Helpdesk & Live Chat3196115400Output is not escaped
#1444reCAPTCHA in WP comments form31264608k+Output is not escaped
#1445Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg)3146020130k+Non Singular String Literal Domain
#1446Coming Soon Page & Maintenance Mode316132663k+Text Domain Mismatch
#1447Social Share Buttons314621561k+Text Domain Mismatch
#1448Simple calendar for Elementor31125270500Direct Query
#1449Page Builder by SiteOrigin31226214400k+Output is not escaped
#1450Slider Carousel – Image Slider312241,2333k+Request data is not unslashed