WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3201Simple HTML Sitemap4242201k+Text Domain Mismatch
#3202Easy Demo Import for Omega Themes423341400Output is not escaped
#3203Easy Video Player42202020k+Output is not escaped
#3204Embedly4217382k+Output is not escaped
#3205Etsy Shop4258213k+Unsafe printing function
#3206Exclude Pages42311420k+Non Singular String Literal Domain
#3207File Media Renamer4216422k+Input is not sanitized
#3208First payment date for WooCommerce Subscriptions424219400Output is not escaped
#3209Flamix: Bitrix24 and Contact Form 7 integrations427941k+Output is not escaped
#3210Flexible Editor Panel for Elementor421544220k+Text Domain Mismatch
#3211FooTable428671k+Output is not escaped
#3212FormCraft – Form Builder421861562k+Text Domain Mismatch
#3213Lock Down Admin4230203k+Unsafe printing function
#3214Fusion Page Builder : Extension – Gallery422930600Output is not escaped
#3215Hide Cart Functions4212503k+Nonce verification recommended
#3216Hide Featured Image42261210k+Unsafe printing function
#3217HTML Editor Syntax Highlighter42302150k+Output is not escaped
#3218Image Uploader for Welcart4227243k+Output is not escaped
#3219iOS images fixer4222426k+Nonce verification recommended
#3220iyzico for WooCommerce42345410k+Unsafe printing function
#3221LeadSnap4214841k+Input is not validated
#3222LH Page Links To422538400Output is not escaped
#3223Image and Video Lightbox, Image PopUp4253151k+Output is not escaped
#3224Login No Captcha reCAPTCHA42452460k+Unsafe printing function
#3225Mailster Cool Captcha426528400Text Domain Mismatch
#3226Manage User Columns4215271k+Request data is not unslashed
#3227Mass Delete Unused Tags42219800Output is not escaped
#3228Mobile CSS42597500Output is not escaped
#3229My Upload Images427448400Unsafe printing function
#3230Nav Menu Collapse4217393k+Missing nonce verification
#3231NS Remove Related Products for WooCommerce4295433k+Output is not escaped
#3232OG Tags42131342k+Non Singular String Literal Domain
#3233OnPay.io for WooCommerce42238371k+Text Domain Mismatch
#3234PageMenu4216291k+Missing nonce verification
#3235PAYDUNYA WOOCOMMERCE PAR425432600Text Domain Mismatch
#3236PDF Thumbnail Generator4226162k+Output is not escaped
#3237Polylang Theme Strings42119306k+Output is not escaped
#3238Post Types Order424543600k+wp function not compatible with requires wp
#3239WP Email Log – PostBox42281700Nonce verification recommended
#3240Posts Like Dislike42157395k+Non Singular String Literal Domain
#3241PuSHPress42116520k+Missing nonce verification
#3242reCAPTCHA for WooCommerce42803140k+Output is not escaped
#3243Rename wp-admin login4223388k+Output is not escaped
#3244Republish Old Posts4283242k+Output is not escaped
#3245Responsive Mortgage Calculator4238287k+Output is not escaped
#3246SEO Backlink Monitor4286105700Output is not escaped
#3247Simple Googlebot Visit4232671k+Non Singular String Literal Domain
#3248Simple Sticky Footer425716600Missing Arg Domain
#3249SMTP Mailer42514970k+Unsafe printing function
#3250Speed Contact Bar4253204k+Output is not escaped