WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2301Anything Popup371641852k+Non-prefixed global variable
#2302Apaczka: integracja z WooCommerce3783163k+Non-prefixed global variable
#2303Async JavaScript373577970k+Unsafe printing function
#2304authLdap3746304k+Exception output is not escaped
#2305avalex – Automatisch sichere Rechtstexte3725851k+Direct Query
#2306Custom Thank You Page Customize For WooCommerce by Binary Carpenter3745802k+error log error log
#2307Better Click To Share – Shareable Quote Boxes for X (Twitter)37170596k+Unsafe printing function
#2308Blimply3717243800Text Domain Mismatch
#2309Blog News Addons For Elementor (News, Magazine and Blog Addons)3723296400Non-prefixed global variable
#2310Customize WordPress Emails and Alerts – Better Notifications for WP37644730k+Missing Arg Domain
#2311Booster Extension37282896k+Non-prefixed global variable
#2312BuddyPress Members Only37184801k+Text Domain Mismatch
#2313bunny.net – WordPress CDN Plugin3716515910k+Output is not escaped
#2314Delivery Date Time & Pickup for WooCommerce37148216400Output is not escaped
#2315Catalog Booster & Product Catalog Mode for WooCommerce371061681k+Non-prefixed function
#2316Checkout for PayPal3713467600Unsafe printing function
#2317Clearpay Gateway for WooCommerce37185631k+Text Domain Mismatch
#2318ClickCease Click Fraud Protection37305810k+Non-prefixed class
#2319CodePeople Post Map for Google Maps37257313k+Unsafe printing function
#2320Lightweight Subscribe To Comments37105701k+Unsafe printing function
#2321Constant Contact Forms by MailMunch37147532k+wp function not compatible with requires wp
#2322CorvusPay WooCommerce Payment Gateway37291411k+Missing nonce verification
#2323Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter3715161600Output is not escaped
#2324Simple Custom CSS and JS3716869600k+Output is not escaped
#2325Custom CSS Manager3755201k+Output is not escaped
#2326Custom Post Template37483010k+Output is not escaped
#2327Debug Log Viewer3726831k+Missing nonce verification
#2328Donation Block For PayPal3723106600Input is not validated
#2329DSGVO/GDPR Cookies, DSE, Impressum & Google Fonts Proxy3739125700Text Domain Mismatch
#2330Duo Two-Factor Authentication3744613k+Missing nonce verification
#2331Easy Photo Album37360431k+Text Domain Mismatch
#2332Pricing Table WordPress Plugin – Easy Pricing Tables3733216110k+Output is not escaped
#2333Easy Testimonial Slider and Form3714144700Request data is not unslashed
#2334EasyMe Connect3713045500Text Domain Mismatch
#2335Eazy CF Captcha379354500Text Domain Mismatch
#2336WP eBay Product Feeds3713631700Output is not escaped
#2337Email Encoder – Protect Email Addresses and Phone Numbers371015090k+Non-prefixed global variable
#2338Excerpt Editor37170142500Unsafe printing function
#2339Exploit Scanner37251308k+Non-prefixed global variable
#2340Facturare WooCommerce371581063k+Text Domain Mismatch
#2341果果推送3731561k+Nonce verification recommended
#2342Gmail SMTP37857110k+Unsafe printing function
#2343GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM3759269600Direct Query
#2344GoCache3727343900Non Singular String Literal Domain
#2345XML Sitemap Generator for Google3743791m+Input is not validated
#2346GS Portfolio for Envato37155754k+Text Domain Mismatch
#2347HandL UTM Grabber / Tracker373114610k+Missing nonce verification
#2348Horizontal scrolling announcements372151408k+Output is not escaped
#2349HT Builder – WordPress Theme Builder for Elementor3714241900Output is not escaped
#2350HT Menu – WordPress Mega Menu Builder for Elementor37300603k+Text Domain Mismatch