WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3951WP Hide Dashboard756102k+trademarked term
#3952WP-HTML-Compression757221k+Input is not sanitized
#3953Aruba Fatturazione Elettronica7634700Missing nonce verification
#3954Cache External Scripts76214900Output is not escaped
#3955Input Masks for Contact Form 77614312800wp function not compatible with requires wp
#3956PDF Flipbook Heyzine763461k+Non-prefixed global variable
#3957Search Regex76625100k+Direct Query
#3958Smartideo76831k+Output is not escaped
#3959Telephone Input For Contact Form 7761810600Text Domain Mismatch
#3960WEN Featured Image761183k+Input is not validated
#3961ACF Galerie 47716232k+Text Domain Mismatch
#3962Always Edit In HTML77751k+Output is not escaped
#3963Backup/Restore Divi Theme Options7788700Input is not validated
#3964Canonical SEO Content Syndication WordPress Plugin7748400Missing nonce verification
#3965Color Your Bar77510400Input is not sanitized
#3966Custom HTML Block Extension778137k+Missing direct file access protection
#3967Disable WP Registration Page Spam775121k+Nonce verification recommended
#3968Dual Currency Display77124900Direct Query
#3969Ecomail777131k+Non-prefixed global variable
#3970Internet Archive Wayback Machine Link Fixer772221k+Database parameter is not escaped
#3971Shipping Zone Duplicator for WooCommerce771014800Nonce verification recommended
#3972Toggle wpautop774159k+trademarked term
#3973Username7758700Deprecated function: screen_icon
#3974Lorem Ipsum Generator7779500Missing direct file access protection
#3975WP Upload Size776142k+Non-prefixed function
#3976Booking System Trafft78319400Nonce verification recommended
#3977Forget About Shortcode Buttons78112520k+Missing direct file access protection
#3978Interact: Embed A Quiz On Your Site786133k+Request data is not unslashed
#3979Layouts for Elementor78271k+Non-prefixed global variable
#3980Layouts for WPBakery78283k+Non-prefixed global variable
#3981LH HSTS78312600Input is not sanitized
#3982Post Order By Category78112900Missing nonce verification
#3983Rename XMLRPC78731k+Output is not escaped
#3984RSS Includes Pages784810k+Output is not escaped
#3985Run SQL Query78138600Non-prefixed global variable
#3986Thumbnails and Featured Images7816141k+Short PHP open tag found
#3987Tock Widget7869400Missing direct file access protection
#3988WP Faster787121k+trademarked term
#3989Import / Export Customizer Settings7951350k+Input is not sanitized
#3990Contact Form 7 Get and Show Parameter from URL79310800Input is not sanitized
#3991Exclude Pages From Menu796118k+Non-prefixed function
#3992Manage Privacy Options Page793111k+Input is not validated
#3993Qi Addons For Elementor7933339200k+Non-prefixed global variable
#3994Remove Category URL – Remove 'category' base from category permalinks795850k+Missing direct file access protection
#3995WP Referral Code791819600Missing direct file access protection
#3996WPC Additional Variation Images for WooCommerce79426800Non-prefixed class
#3997Cost Calculator for Elementor8022317500wp function not compatible with requires wp
#3998Docxpresso809142k+Input is not sanitized
#3999Duo Universal806252k+Nonce verification recommended
#4000Fluent PDF Generator80102620k+Text Domain Mismatch