WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3051Conditional Fields for Contact Form 74110653100k+Output is not escaped
#3052CF7 Invisible reCAPTCHA4119527k+Request data is not unslashed
#3053Checklist416225400Text Domain Mismatch
#3054clickskeks.at Cookiebanner412118500Unsafe printing function
#3055CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#3056CoinPayments.net Payment Gateway for WooCommerce4151321k+Text Domain Mismatch
#3057Colorful Categories4120202k+Output is not escaped
#3058Content Widget41729400Output is not escaped
#3059Contribuinte Checkout4130301k+Output is not escaped
#3060Controlled Admin Access41224010k+Nonce verification recommended
#3061Cookie Notice & Consent41101291k+Output is not escaped
#3062Custom Meta412329700Output is not escaped
#3063Custom Post Type Cleanup4170121k+Output is not escaped
#3064Dashboard Notepad41293410k+Missing nonce verification
#3065Database for CF74137322k+Text Domain Mismatch
#3066Debug Bar41642520k+Output is not escaped
#3067Developer Loggers for Simple History414628400Text Domain Mismatch
#3068Dinamize414165500Output is not escaped
#3069Disable Everything41901630k+Output is not escaped
#3070DigitalOcean Spaces Sync41808500Text Domain Mismatch
#3071DSGVO Youtube4148291k+Unsafe printing function
#3072Duplicate Page and Post41262180k+Unsafe printing function
#3073Easy Random Quotes414214500Output is not escaped
#3074Email Address Encoder411098100k+wp function not compatible with requires wp
#3075Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#3076Extra User Details4184151k+Non Singular String Literal Domain
#3077Fast Chat Button41241881k+Non-prefixed global variable
#3078Featured Image Generator4131161k+Output is not escaped
#3079Gallery Lightbox41471610k+Output is not escaped
#3080(Simply) Guest Author Name4135362k+Output is not escaped
#3081Hide My Dates415011400Unsafe printing function
#3082Hide WP Admin Login412339500Nonce verification recommended
#3083Highcompress Image Compressor4110669600Text Domain Mismatch
#3084iCount Payment Gateway4115322500Text Domain Mismatch
#3085Import external attachments4118262k+Output is not escaped
#3086Infinite Ajax Scrolling Lite For Woocommerce413328500Output is not escaped
#3087Multiple Themes411124110k+Output is not escaped
#3088Lazy Load Optimizer4163263k+Unsafe printing function
#3089LH Agree to Terms415932800Output is not escaped
#3090Lockdown WP Admin41205010k+Request data is not unslashed
#3091Log cleaner for Solid Security4165478k+Text Domain Mismatch
#3092Magic Liquidizer Responsive Table41114386k+Text Domain Mismatch
#3093MaxSlider4121457k+Output is not escaped
#3094Media Grid4142442k+Missing Arg Domain
#3095Mihdan: Yandex Turbo Feed4165391k+Output is not escaped
#3096Mollie Forms41145653k+Request data is not unslashed
#3097My Favorites4135341k+Output is not escaped
#3098My Wp Brand – Hide menu & Hide Plugin4174502k+Non Singular String Literal Domain
#3099Native Emoji4154375k+Unsafe printing function
#3100Nepali Date Utilities4151151k+date date