WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3451Registered Users Only4914142k+Unsafe printing function
#3452Secondary Product Image for WooCommerce4925292k+Output is not escaped
#3453Simple MyISAM to InnoDB4911221k+Output is not escaped
#3454SKT Themes Demo Import492181044k+Text Domain Mismatch
#3455Songkick Concerts and Festivals49948500Input is not sanitized
#3456SpinupWP49433830k+Non-prefixed function
#3457UiCore Animate – Free Animations, Transitions, and Interactions Addon for Elementor & Gutenberg blocks49343840k+Missing direct file access protection
#3458Was This Helpful?4919281k+Output is not escaped
#3459PDF Invoices & Packing Slips for WooCommerce – Challan49561514k+Non-prefixed global variable
#3460WooBuilder492017700Output is not escaped
#3461Product Slider, Product Grid, Product Masonry495514410k+wp function not compatible with requires wp
#3462WP User Groups494432600Missing Translators Comment
#3463Aspexi Social Media Sidebox5017512700Text Domain Mismatch
#3464Auto Ping Booster Free501821900Setting is missing a sanitization callback
#3465BuddyPress Groups Extras503051400Missing direct file access protection
#3466Category AJAX Filter — Advanced Filter for Posts & Custom Post Types5024356k+Non-prefixed global variable
#3467Page Builder Gutenberg Blocks – CoBlocks5016736300k+block api version too low
#3468Customize Tawk.to Widget502128500Request data is not unslashed
#3469Disable Site502634k+Output is not escaped
#3470Event Organiser CSV502827600Output is not escaped
#3471Block IPs for Gravity Forms508361k+Request data is not unslashed
#3472Headline Analyzer5013311k+Nonce verification recommended
#3473HT Slider For Elementor508844020k+Text Domain Mismatch
#3474Mailster Gravity Forms504632800Text Domain Mismatch
#3475MB Custom Post Types & Custom Taxonomies50615510k+Missing Translators Comment
#3476Pago por Redsys504459700Text Domain Mismatch
#3477PostmagThemes Demo Import501911141k+Text Domain Mismatch
#3478📷 Simple QR Code Generator Widget502114400Output is not escaped
#3479Section Widget502435500Nonce verification recommended
#3480Theme Demo Import50101955k+Non-prefixed hook name
#3481BestWebSoft's Twitter50477174900Text Domain Mismatch
#3482Ultimate WooCommerce Brands508712400Text Domain Mismatch
#3483Veeqo for WooCommerce503017700Missing direct file access protection
#3484Cart Popup for WooCommerce5191159k+Non-prefixed global variable
#3485Address Geocoder511218500Output is not escaped
#3486Aspexi Social Media Slider51177152k+Text Domain Mismatch
#3487AVIF Uploader5149444k+Missing Arg Domain
#3488Feeds for TikTok – Display Video Feeds in Grid Layouts5118591k+Request data is not unslashed
#3489Booqable Rental Plugin5181181k+wp function not compatible with requires wp
#3490WPML Multilingual for BuddyPress and BuddyBoss5118216k+SQL query is not prepared
#3491CloudFilt Bot & Spam Protection511122600Output is not escaped
#3492Dynamic Pricing and Discount Rules5124651k+Non Singular String Literal Text
#3493Dolyame Payment gateway5112210700Text Domain Mismatch
#3494Gravity Forms No CAPTCHA reCAPTCHA51301710k+Text Domain Mismatch
#3495Gutenverse – WordPress Blocks, Page Builder & Site Editor51174720k+Non-prefixed hook name
#3496KIA Subtitle5121197k+Non-prefixed global variable
#3497POLi Payments for WooCommerce516226500Text Domain Mismatch
#3498Quotes and Tips by BestWebSoft514851901k+Text Domain Mismatch
#3499Security-Protection51532400Missing nonce verification
#3500Simple Cookie Notification Bar514961k+Text Domain Mismatch