WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2001Ni WooCommerce Sales Report35236256500Text Domain Mismatch
#2002Nooz35287108500Text Domain Mismatch
#2003One Page Express Companion351326510k+Output is not escaped
#2004ONet Regenerate Thumbnails35190641k+Text Domain Mismatch
#2005Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce351171442k+Output is not escaped
#2006OSM Map Widget for Elementor35183149k+Text Domain Mismatch
#2007Page Optimize357041200k+Non Singular String Literal Domain
#2008Page Visits Counter – Lite3528355k+Output is not escaped
#2009Paybox WooCommerce Payment Gateway3516588500Non Singular String Literal Domain
#2010Paytm Payment Gateway35921043k+Missing Arg Domain
#2011Perfecty Push Notifications352042134k+SQL query is not prepared
#2012PiWeb Delivery & Pickup Date Time for WooCommerce35377163500Text Domain Mismatch
#2013Planyo online reservation system356490400Output is not escaped
#2014Plausible Analytics352446110k+Exception output is not escaped
#2015Accept Cryptocurrencies with Plisio3537471k+Text Domain Mismatch
#2016Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups351682920k+Output is not escaped
#2017Popular Posts3516671900Unsafe printing function
#2018Popup with fancybox351961681k+Unsafe printing function
#2019Post Content Shortcodes35205562k+Output is not escaped
#2020Post Draft Preview354969700Text Domain Mismatch
#2021Post List Featured Image35112100900Output is not escaped
#2022Post Meta Data Manager35301121k+Non-prefixed global variable
#2023Post Password Token3513238600Text Domain Mismatch
#2024Protect the Children!352341k+Missing nonce verification
#2025Publitio354726400curl curl setopt
#2026Push Notifications by LaraPush3532764k+Non-prefixed global variable
#2027Push7354517700Short PHP open tag found
#2028Quran multilanguage Text & Audio35177166500Output is not escaped
#2029Related Posts for WordPress3520718010k+Output is not escaped
#2030ReOrder Posts within Categories35392077k+Non-prefixed global variable
#2031Reseller Store3556341k+Output is not escaped
#2032WP Responsive Tabs horizontal vertical and accordion Tabs355982122k+Output is not escaped
#2033Reveal IDs35231340k+Output is not escaped
#2034Robots.txt rewrite3556191k+Output is not escaped
#2035sCode (Easy Shortcodes)3515797400Text Domain Mismatch
#2036Scroll Styler355221900Output is not escaped
#2037Internal Links Manager3518812110k+Output is not escaped
#2038Security Optimizer – The All-In-One Protection Plugin3540841m+Request data is not unslashed
#2039Shipping Zones by Drawing for WooCommerce3527895600Text Domain Mismatch
#2040Shopkeeper Extender3514265k+Missing Version
#2041SHOPVOTE356458400curl curl setopt
#2042Shortcake (Shortcode UI)3593910k+Request data is not unslashed
#2043Simple CAPTCHA with Cloudflare Turnstile3582148100k+Output is not escaped
#2044Simple Export Import for ACF Data3519641k+Request data is not unslashed
#2045Simple Yearly Archive35102366k+Unsafe printing function
#2046Simple Analytics3524201k+Output is not escaped
#2047SiteOrigin CSS356184100k+Not In Footer
#2048WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat35283190k+Input is not sanitized
#2049Quiz Maker, Poll Maker & Survey Maker by Opinion Stage3542326k+Output is not escaped
#2050Social Sharing Plugin – Social Warfare351714320k+Non-prefixed class