WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1701Audit Trail349010710k+Unsafe printing function
#1702Automatic YouTube Gallery – Embed Auto-Updating YouTube Video Galleries, Feeds, Playlists & Channels34862559k+Direct Query
#1703AyeCode Connect3417825310k+Nonce verification recommended
#1704Bayarcash WooCommerce34148138700Non Singular String Literal Domain
#1705Buckets346876500Output is not escaped
#1706Cache Master3437127400Output is not escaped
#1707Campi Moduli Italiani3472363500Unquoted Complex Placeholder
#1708SMS Abandoned Cart Recovery ✦ CartBoss346772400SQL query is not prepared
#1709Checkout Field Editor for WooCommerce – Checkout Manager341226420k+Text Domain Mismatch
#1710Clean Testimonials3412787400Output is not escaped
#1711CM Search And Replace – Optimize content edits with a powerful search and replace tool342861112k+Output is not escaped
#1712Contact Form 7 – PayPal & Stripe Add-on34932337k+Exception output is not escaped
#1713Cornerstone3416117430k+Nonce verification recommended
#1714CSS JS Manager, Async JavaScript, Defer Render Blocking CSS34761061k+Input is not validated
#1715Custom Login Page by SeedProd34330125500Output is not escaped
#1716Custom Post Type Attachment3415349800wp function not compatible with requires wp
#1717Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager3432307100k+Non-prefixed global variable
#1718DD Last Viewed34193132500Output is not escaped
#1719Debug Log Manager Tool34441433k+Nonce verification recommended
#1720Document Library Lite34149854k+Text Domain Mismatch
#1721Download After Email – Subscribe & Download Form Plugin34223567k+Input is not validated
#1722Delisho – Recipe Widgets and Blocks34603551k+Input is not sanitized
#1723Easy Social Sharing34162401k+Non-prefixed global variable
#1724EasyIndex34741351k+Missing nonce verification
#1725Einsatzverwaltung341521281k+Output is not escaped
#1726ECS – Ele Custom Skin for Elementor3499205100k+Text Domain Mismatch
#1727Enhanced Text Widget341015830k+Output is not escaped
#1728ePayco Plugin for WooCommerce341551363k+Text Domain Mismatch
#1729Essential Classy Addons for Elementor – 150+ Widgets, Templates & Performance Tools34278186500Output is not escaped
#1730Estimated Delivery for WooCommerce34301701k+Short PHP open tag found
#1731Event Calendar Newsletter3496167600Non-prefixed hook name
#1732Event Post34329991k+Output is not escaped
#1733Export Customers Data3410949500Text Domain Mismatch
#1734Social LikeBox & Feed3439314110k+Non Singular String Literal Domain
#1735Profile Box Shortcode And Widget344881381k+Output is not escaped
#1736Fancy Comments WordPress34359392k+Unsafe printing function
#1737Flash Toolkit3415824210k+Non-prefixed global variable
#1738Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping34124156100k+Nonce verification recommended
#1739Floating Side Tab3494153600Non-prefixed global variable
#1740FluentAuth – The Ultimate Authorization & Security Plugin for WordPress344422910k+Nonce verification recommended
#1741Forms: 3rd-Party Integration342341125k+Output is not escaped
#1742FV Gravatar Cache345042600Output is not escaped
#1743Garden Gnome Package34116514k+Text Domain Mismatch
#1744Geliver Akıllı Kargo Pazaryeri3449247400Non-prefixed global variable
#1745Geolocation IP Detection3422716720k+Output is not escaped
#1746Gitium3414957400Output is not escaped
#1747APG Google Video Sitemap Feed349645800Output is not escaped
#1748Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program34131352600Missing nonce verification
#1749Greenshift – animation and page builder blocks343327270k+Non-prefixed global variable
#1750Hide Price Until Login341871152k+Non Singular String Literal Domain