WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3551Custom Category Templates5411113k+Unsafe printing function
#3552Expanding Archives543793k+Output is not escaped
#3553F4 Media Taxonomies547391k+Input is not sanitized
#3554PWA — easy way to Progressive Web App5415442k+Dynamic hook name
#3555Juiz Lang Attribute5426272k+Text Domain Mismatch
#3556Live Summary for Gravity Forms5415271k+Nonce verification recommended
#3557Reorder Terms5417381k+Nonce verification recommended
#3558Resize images before upload541951k+Output is not escaped
#3559REST XML-RPC Data Checker541445900Input is not sanitized
#3560Simple XML Sitemap Generator548283k+Non-prefixed function
#3561Sp*tify Play Button for WordPress5421153k+Text Domain Mismatch
#3562Sticky Floating Forms Lite542629900Non-prefixed global variable
#3563Post Badges541913400Output is not escaped
#3564WC Duplicate Order541215500Nonce verification recommended
#3565WP Menu Icons54685220k+Text Domain Mismatch
#3566WP Post Navigation5414231k+Output is not escaped
#3567WP Social Preview543315800Non Singular String Literal Domain
#3568Accordions55110120k+slow db query meta query
#3569Admin Bar User Switching5516312k+Input is not validated
#3570Advanced Custom Order Status for WooCommerce554433500Text Domain Mismatch
#3571AI Assistant for Elementor – Auto Content Writer, OpenAI, ChatGPT5515124400Text Domain Mismatch
#3572Auto Image Alt Attribute552676k+Unsafe printing function
#3573Chabok | چابک551631400Nonce verification recommended
#3574Disable Feeds559920k+Output is not escaped
#3575Feedbucket – Website Feedback Tool5510251k+Input is not validated
#3576Head, Footer and Post Injections55952200k+Non-prefixed global variable
#3577Hide Admin Menu55182720k+Non-prefixed function
#3578Holded integration5572232k+Non Singular String Literal Domain
#3579Landingi Landing Pages5518232k+Input is not sanitized
#3580LexonRank: AI Link Building, Free Backlinks & SEO Automation5515201k+Nonce verification recommended
#3581Marvy – Background Animations for Elementor5563344k+Text Domain Mismatch
#3582Mortgage Calculator5598164k+Text Domain Mismatch
#3583Page Animations And Transitions5589671k+Non Singular String Literal Domain
#3584Virtual Robots.txt55102140k+Input is not validated
#3585Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More5544647k+Text Domain Mismatch
#3586Quick and Easy Testimonials5562323k+Non Singular String Literal Domain
#3587Semrush Content Toolkit5522242k+Non-prefixed global variable
#3588Free customer chat solution551810500Output is not escaped
#3589Text Changer for Welcart5547743500Text Domain Mismatch
#3590VS Contact Form5533187k+Non-prefixed global variable
#3591VK Block Patterns55861100k+Non-prefixed function
#3592Payment Integration Wompi – El Salvador555027800Text Domain Mismatch
#3593Yext Plugin551623800Non-prefixed function
#3594Admin Bar Fix564018400Text Domain Mismatch
#3595All in One SEO Pack Importer561725500Direct Query
#3596Anti-Captcha (anti-spam botblocker)5623261k+rand mt rand
#3597BotPenguin – Generative AI Chatbot with Live Chat & ChatGPT56127600Unsafe printing function
#3598SMTP by BestWebSoft564861751k+Text Domain Mismatch
#3599CHEQ Essentials561449700Request data is not unslashed
#3600Contextual Adminbar Color561816500Output is not escaped