WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
Pair state-changing requests with nonce and capability checks.
Reject or safely default values that do not pass validation.

References

WordPress validating, sanitizing, and escaping WordPress nonces

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#151	Modula Image Gallery – Photo Grid & Video Gallery	22	474	436	100k+	6 days ago	Text Domain Mismatch
#152	Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress	22	919	1,230	10k+	4 months ago	Output Not Escaped
#153	Moloni	22	902	356	2k+	2 months ago	Missing Arg Domain
#154	Motors – Car Dealership & Classified Listings Plugin	22	5,340	5,958	9k+	4 days ago	Text Domain Mismatch
#155	Newsletters	22	2,968	2,248	2k+	3 days ago	Text Domain Mismatch
#156	NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall	22	1,265	2,065	100k+	15 days ago	Non Prefixed Variable Found
#157	NinjaScanner – Virus & Malware scan	22	596	551	30k+	13 days ago	Non Prefixed Variable Found
#158	WP OAuth Server (OAuth Authentication)	22	189	347	3k+	5 months ago	Non Prefixed Function Found
#159	oik	22	489	180	2k+	7 months ago	Non Singular String Literal Domain
#160	PagBank / PagSeguro Connect para WooCommerce	22	504	743	4k+	2 months ago	Non Prefixed Variable Found
#161	PAYCOMET for WooCommerce	22	1,206	423	2k+	5 days ago	Text Domain Mismatch
#162	Smart Popup by Supsystic	22	3,172	503	10k+	22 days ago	Non Singular String Literal Domain
#163	Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App	22	1,581	2,326	300k+	19 days ago	Non Prefixed Variable Found
#164	Prime Mover – Migrate WordPress Website & Backups	22	1,326	1,600	10k+	16 days ago	Non Prefixed Variable Found
#165	Product Catalog Feed by PixelYourSite	22	581	357	8k+	3 years ago	Output Not Escaped
#166	PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP	22	984	407	5k+	2 years ago	Unsafe Printing Function
#167	Quick Contact Form	22	260	623	1k+	6 months ago	Non Prefixed Function Found
#168	RabbitLoader Cache: Optimize your Website for Speed	22	241	163	2k+	3 days ago	Output Not Escaped
#169	Restrict User Access – Ultimate Membership & Content Protection	22	977	1,840	10k+	9 months ago	Non Prefixed Variable Found
#170	Salon Booking System – Free Version	22	650	619	3k+	9 days ago	missing direct file access protection
#171	Social Sharing Plugin – Sassy Social Share	22	1,689	233	100k+	9 months ago	wp function not compatible with requires wp
#172	Seraphinite Accelerator	22	594	255	50k+	3 days ago	Output Not Escaped
#173	ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF	22	1,044	799	300k+	18 days ago	Non Prefixed Variable Found
#174	Simple Job Board	22	634	1,355	10k+	18 days ago	Non Prefixed Variable Found
#175	Slim Jetpack	22	2,586	1,947	2k+	9 years ago	Text Domain Mismatch
#176	SNS Count Cache	22	918	120	8k+	7 years ago	Non Singular String Literal Domain
#177	NextScripts: Social Networks Auto-Poster	22	2,408	1,133	30k+	4 months ago	Output Not Escaped
#178	SSL Zen — SSL Certificate Installer & HTTPS Redirects	22	779	1,575	10k+	6 months ago	Non Prefixed Variable Found
#179	Stylish Price List – Price Table Builder & QR Code Restaurant Menu	22	674	678	3k+	7 days ago	Output Not Escaped
#180	Swift Performance Lite	22	2,346	1,325	7k+	4 months ago	Text Domain Mismatch
#181	Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent	22	225	519	8k+	2 months ago	error log error log
#182	Tag Groups is the Advanced Way to Display Your Taxonomy Terms	22	575	465	3k+	1 month ago	Unsafe Printing Function
#183	The Moneytizer	22	751	271	1k+	4 months ago	Text Domain Mismatch
#184	Theme Editor	22	798	685	50k+	3 months ago	Output Not Escaped
#185	ThemeHunk Customizer	22	3,969	582	7k+	7 months ago	Text Domain Mismatch
#186	Customize Feeds for Twitter	22	92	171	4k+	12 months ago	Non Prefixed Variable Found
#187	Uncanny Toolkit for LearnDash	22	539	994	20k+	24 days ago	Output Not Escaped
#188	Search & Replace Everything – Quick and Easy Way to Find and Replace Text, Links	22	1,044	1,797	20k+	26 days ago	Non Prefixed Variable Found
#189	URL Shortify – Simple and Easy URL Shortener	22	1,520	2,689	10k+	18 days ago	Non Prefixed Variable Found
#190	Welcart e-Commerce	22	10,377	10,896	10k+	19 days ago	Text Domain Mismatch
#191	WCFM Marketplace – Multivendor Marketplace for WooCommerce	22	1,937	1,969	10k+	1 month ago	Non Prefixed Variable Found
#192	WCFM Membership – WooCommerce Memberships for Multivendor Marketplace	22	559	675	10k+	2 months ago	Non Prefixed Variable Found
#193	WooCommerce	22	1,355	6,129	7m+	26 days ago	Non Prefixed Variable Found
#194	Advanced AJAX Product Filters	22	2,683	1,205	50k+	27 days ago	Text Domain Mismatch
#195	CoDesigner – All in One Elementor WooCommerce Builder	22	4,131	774	5k+	15 days ago	Text Domain Mismatch
#196	Simple Shopping Cart	22	796	536	10k+	1 month ago	Unsafe Printing Function
#197	ManageWP Worker	22	507	565	1m+	1 month ago	Non Prefixed Class Found
#198	Asset CleanUp: Page Speed Booster	22	2,030	2,485	100k+	2 months ago	Non Prefixed Variable Found
#199	WP Easy Pay – Payment and Donation form Builder for Square	22	893	1,828	1k+	3 days ago	Non Prefixed Variable Found
#200	WP Express Checkout (Fast Payments via PayPal & Stripe)	22	591	627	1k+	3 months ago	Output Not Escaped