WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3751Creative Clans Embed Script63109600Input is not sanitized
#3752Email Post Changes63438500Missing Arg Domain
#3753Happierleads – Identify your B2B website visitors even if they work remotely63327600wp function not compatible with requires wp
#3754Hide Admin Bar From Front End638171k+Input is not validated
#3755Image Sitemap631114400Output is not escaped
#3756IndexNow Plugin631491100k+error log error log
#3757Missed Scheduled Posts Publisher by WPBeginner63161730k+Text Domain Mismatch
#3758One Tap Google Sign in63630900Request data is not unslashed
#3759Simple Membership After Login Redirection6342410k+Missing nonce verification
#3760Slightly troublesome permalink6324101k+Non Singular String Literal Domain
#3761UniqueID for Contact Form 76421182k+Text Domain Mismatch
#3762CV Demo Importer642195400Non-prefixed global variable
#3763Download Theme6418204k+wp function not compatible with requires wp
#3764Estonian Shipping Methods for WooCommerce6497161k+Text Domain Mismatch
#3765Evermore648121k+Input is not validated
#3766Favicon XT-Manager649122k+Output is not escaped
#3767Nofollow for external link648510k+Output is not escaped
#3768Stancer for WooCommerce642108400Non-prefixed global variable
#3769WP REST Cache641111310k+Direct Query
#3770Contact Form 7 – Success Page Redirects6551510k+Input is not sanitized
#3771Custom Global Variables6514125k+Output is not escaped
#3772Dojo for WooCommerce657113800Text Domain Mismatch
#3773EDD Hide Download651313600Output is not escaped
#3774Email Tracker65254800SQL query is not prepared
#3775Live Chat with Messenger Customer Chat6510233k+Input is not sanitized
#3776Futy.io Leadbots657392k+wp function not compatible with requires wp
#3777HTACCESS IP Blocker655142k+Missing nonce verification
#3778Multi Image Metabox651786k+Output is not escaped
#3779Read More Excerpt Link651983k+Output is not escaped
#3780Redirect 404 to Home Page – Custom URL657114k+Output is not escaped
#3781Slider Revolution Search Replace65514900Input is not validated
#3782Web and WooCommerce Addons for WPBakery Builder654971231k+Text Domain Mismatch
#3783VK Link Target Controller65131030k+Output is not escaped
#3784ACF: Rus-To-Lat6615112k+Output is not escaped
#3785Bulk Term Generator – Import multiple tags, categories, and taxonomies easily668312k+Request data is not unslashed
#3786Calculated fields for ACF665181k+Non-prefixed global variable
#3787Social comments by WpDevArt669198k+Missing Version
#3788Cookie Warning661415700Non-prefixed function
#3789Custom Author Byline66118500Output is not escaped
#3790Debug Log Manager – Conveniently Monitor and Inspect Errors66334410k+Input is not validated
#3791Duplicate Menu66117100k+Unsafe printing function
#3792Elementic66229900Text Domain Mismatch
#3793FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration6626306k+Missing direct file access protection
#3794Goaffpro Affiliate Marketing666284k+Nonce verification recommended
#3795Hide Title6613630k+Output is not escaped
#3796HiFi (Head Injection, Foot Injection)6613112k+Output is not escaped
#3797IranDargah Payment Gateway for Woocommerce666626400Text Domain Mismatch
#3798Leadpages6666210k+Direct Query
#3799Page Meta662614700Missing Arg Domain
#3800Product Code for WooCommerce6613541k+Missing direct file access protection