WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2501WPAppsDev – CF7 Form Submission Limit38104331k+Text Domain Mismatch
#2502Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#2503Checkout Files Upload for WooCommerce38571207k+Input is not sanitized
#2504Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#2505Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#2506Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#2507country-redirect385819400Text Domain Mismatch
#2508Crop-Thumbnails38332740k+Missing direct file access protection
#2509CRUDLab Disable Comments382054700Missing nonce verification
#2510One page checkout and layouts for woocommerce3883523k+Non-prefixed global variable
#2511Custom post type templates for Elementor3828933700Text Domain Mismatch
#2512Customize Posts3831771k+Non-prefixed hook name
#2513Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#2514Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#2515Decent Comments3893282k+Output is not escaped
#2516Responsive Pricing Table3830910510k+Non Singular String Literal Domain
#2517PiWeb Product Enquiry or product catalog for WooCommerce382551451k+Text Domain Mismatch
#2518Erident Custom Login and Dashboard38122288k+Unsafe printing function
#2519Export to Blogger3847117900Non-prefixed global variable
#2520Export User Data38187626k+Text Domain Mismatch
#2521Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678250k+Output is not escaped
#2522Social Photo Fetcher38151431k+Output is not escaped
#2523Social Shop for WooCommerce385124800Output is not escaped
#2524Foyer – Digital Signage for WordPress381481911k+Non-prefixed global variable
#2525Front-end Editor387862500Output is not escaped
#2526GoodBarber3838731k+Nonce verification recommended
#2527Great Caroussel3860131500SQL query is not prepared
#2528Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#2529HashThemes Demo Importer3871446k+Output is not escaped
#2530CAOS | Host Google Analytics Locally381244410k+Output is not escaped
#2531WP Team – WordPress Team Member Plugin3853736600Text Domain Mismatch
#2532Illdy Companion38187236k+Output is not escaped
#2533imoje38621602k+Nonce verification recommended
#2534Insert PHP Code Snippet3816422790k+Output is not escaped
#25353D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery383537780k+Non Singular String Literal Domain
#2536JC Submenu38279324k+Output is not escaped
#2537Maintenance Redirect3824413210k+Missing Arg Domain
#2538Jock On Air Now (JOAN)38121224400Output is not escaped
#2539jQuery Pin It Button for Images381293610k+Output is not escaped
#2540Kali Forms — Contact Form & Drag-and-Drop Builder38325210k+Dynamic hook name
#2541Lana Downloads Manager38146783k+Unsafe printing function
#2542Log Deprecated Notices3892731k+Text Domain Mismatch
#2543LuckyWP Scripts Control38186233k+Output is not escaped
#2544LWS Cleaner388112920k+Direct Query
#2545Migrate Store: Export and Import WooCommerce Settings3837331k+Non-prefixed global variable
#2546MimeTypes Link Icons3853348k+Output is not escaped
#2547MisterPlan – Booking Engines3873138600Nonce verification recommended
#2548Monetag Official Plugin38133325k+Text Domain Mismatch
#2549Most And Least Read Posts Widget38130241k+Output is not escaped
#2550Multiple Domain Mapping on Single Site38135516k+Text Domain Mismatch