WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3601Kwayy HTML Sitemap5613196k+Missing nonce verification
#3602Free Live Chat Support56920600Output is not escaped
#3603Maya Business Plugin56939600Input is not validated
#3604Pluginception567294k+Request data is not unslashed
#3605Replace Protected Password56618600Input is not sanitized
#3606Image Optimization For SEO56116693k+Non Singular String Literal Domain
#3607TextBuilder5620344k+Missing Arg Domain
#3608ThemeinWP Import Companion5617144k+Unsafe printing function
#3609Export & Import WPBakery Page Builder5612209k+Missing nonce verification
#3610easy AMP561024600Input is not sanitized
#3611Pantheon Migrations5715261k+Output is not escaped
#3612BestWebSoft’s Pinterest57490176500Text Domain Mismatch
#3613Cache-Control572641k+Output is not escaped
#3614Delete Pending Comments57161110k+Unsafe printing function
#3615Disable Cart Fragments by Optimocha5781310k+Nonce verification recommended
#3616Easy GDPR Consent Forms – MailChimp577222500Text Domain Mismatch
#3617Live Chat by Formilla – Real-time Chat & Chatbots Plugin5722132k+Missing Arg Domain
#3618APG Google Image Sitemap Feed573633900Non-prefixed global variable
#3619Gravity PDF5711615220k+Non-prefixed global variable
#3620Hide Admin Notices5791620k+Input is not sanitized
#3621iZooto – Web Push Notifications5726251k+wp function not compatible with requires wp
#3622Jquery Validation For Contact Form 75716199k+Missing direct file access protection
#3623JSON API User5717341k+Non-prefixed hook name
#3624Monri Payments5714147900Text Domain Mismatch
#3625My WordPress Login Logo57283610k+Non-prefixed global variable
#3626Plethora Plugins Tabs + Accordions5744102k+Output is not escaped
#3627Plugin Notes571729400Input is not validated
#3628Protected Posts Logout Button5710201k+Input is not sanitized
#3629Real-Time Find and Replace57231070k+Output is not escaped
#3630Remove admin menus by role575548k+Input is not validated
#3631Replain57219700Output is not escaped
#3632Search Exclude57734050k+Text Domain Mismatch
#3633Site Health Tool Manager571351k+Unsafe printing function
#3634Responsive Slideshow – Photo Carousel571742k+Non-prefixed global variable
#3635Timologia for WooCommerce5775223k+Text Domain Mismatch
#3636WP Adsterra Dashboard572221400wp function not compatible with requires wp
#3637WP Table Builder – Drag & Drop Table Builder57633950k+Not Allowed
#3638WP Wrapper571329600Input is not validated
#3639Admin Page Notes581715700Text Domain Mismatch
#3640Customization for WP SEO5815102k+Unsafe printing function
#3641Gutenverse Form – Contact Form Builder, Block Form & Booking Form58174810k+Nonce verification recommended
#3642HAL5810624500Text Domain Mismatch
#3643Houzez WooCommerce Addon5822214k+Missing Translators Comment
#3644Menu Swapper5820143k+Output is not escaped
#3645Nginx Cache5812810k+Unsafe printing function
#3646Remove CPT base58151610k+Input is not sanitized
#3647REVIEWS.io for WooCommerce58711611k+Non-prefixed global variable
#3648Safety Exit5852261k+Text Domain Mismatch
#3649Simple Back To Top5815433k+Non-prefixed global variable
#3650Simple CSS for widgets5811151k+Missing nonce verification