WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3001Widget Builder404052500Non-prefixed global variable
#3002Widget Menuizer404426600Missing Arg Domain
#3003Widget Visibility Without Jetpack4074475k+Text Domain Mismatch
#3004Widgets Control409247800Output is not escaped
#3005Eurobank WooCommerce Payment Gateway4066432k+Non Singular String Literal Domain
#3006Preview E-mails for WooCommerce40353730k+Unsafe printing function
#3007NP Quote Request for WooCommerce40911459k+Non-prefixed global variable
#3008yubikey-plugin406433400Text Domain Mismatch
#3009All In One SEO Pack for WooCommerce4057253k+Text Domain Mismatch
#3010WooSidebars404337100k+Missing Translators Comment
#3011Word Balloon402012510k+Request data is not unslashed
#3012WP Compress for MainWP402036700Output is not escaped
#3013Custom CSS/JS405834700Text Domain Mismatch
#3014Easy PayPal & Stripe Buy Now Button403889610k+Unsafe printing function
#3015WP Help40495410k+Unsafe printing function
#3016WP Keyword Suggest402941500Non Singular String Literal Domain
#3017Media Library Categories40294920k+Output is not escaped
#3018WP Meteor Website Speed Optimization Addon40341920k+Output is not escaped
#3019WP Multisite Content Copier/Updater4019144800Interpolated SQL is not prepared
#3020WP Nav Plus4095131k+Output is not escaped
#3021WP Paint – WordPress Image Editor4030296k+Missing Arg Domain
#3022QR code MeCard/vCard generator40322212k+Unsafe printing function
#3023WP Reroute Email401411061k+Output is not escaped
#3024Sentry for WordPress40804010k+Text Domain Mismatch
#3025Social Share Buttons & Analytics Plugin – GetSocial.io4097252k+Output is not escaped
#3026WP Tab Widget401283210k+Output is not escaped
#3027WP Theme Test4021397k+Input is not sanitized
#3028WPC Force Sells for WooCommerce403897600Output is not escaped
#3029WPFront Notification Bar402224450k+Output is not escaped
#3030Yektanet Ecommerce4045103900Request data is not unslashed
#3031My YouTube Channel4054385k+Output is not escaped
#3032Zippy4043319k+Output is not escaped
#3033AddQuicktag418610100k+Output is not escaped
#3034Advance Bank Payment Transfer Gateway41105621k+Text Domain Mismatch
#3035Advanced Excerpt41694370k+Unsafe printing function
#3036Age Verify4129311k+Output is not escaped
#3037AH Display Widgets4152168k+Text Domain Mismatch
#3038Schema – All In One Schema Rich Snippets4159818030k+Text Domain Mismatch
#3039Alma – Pay in installments or later for WooCommerce41116681k+Exception output is not escaped
#3040Amazon Link Engine4138172k+Output is not escaped
#3041Announcer – Sticky Message Banner & Notification Bar411102710k+Output is not escaped
#3042Antispam411141400Missing nonce verification
#3043Authenticator4159441k+Output is not escaped
#3044Auto Focus Keyword for SEO4112382k+Input is not validated
#3045Avatar Manager4129415k+Unsafe printing function
#3046Beautiful Cookie Consent Banner41337640k+Non-prefixed global variable
#3047Bop Search Box Item Type For Nav Menus4152141k+Output is not escaped
#3048BuddyPress Xprofile Custom Field Types41391894k+Missing nonce verification
#3049BuddyPress Edit Activity412826800Output is not escaped
#3050Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)4116371k+Missing nonce verification