WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4001Plugin Toggle80212500Nonce verification recommended
#4002WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo805149k+wp function not compatible with requires wp
#4003Smart Passworded Pages801182k+wp function not compatible with requires wp
#4004Melapress File Monitor8016906k+Non-prefixed global variable
#4005Mini Cart Drawer For WooCommerce80425500Non-prefixed hook name
#4006Auto iFrame812113k+Input is not sanitized
#4007Block Visibility — Conditional Visibility Control for the Block Editor8171140k+Input is not sanitized
#4008Change Permalink Helper8155900Direct Query
#4009Nice Search8145900Input is not sanitized
#4010Order Approval for Woocommerce8132081k+Non-prefixed global variable
#4011Portfolio Block – The Ultimate Project & Portfolio Builder8165800Offloaded Content
#4012Post Type Archive Descriptions811141k+Missing direct file access protection
#4013Orphans8114350k+Dynamic hook name
#4014Telephone field for Gravity Forms811249400wp function not compatible with requires wp
#4015Appointment Bookings for Zoom GoogleMeet and more – Wappointment8122521k+Non-prefixed class
#4016Advance Canonical URL823101k+Input is not validated
#4017Catch Gallery8213510k+Non-prefixed hook name
#4018Gallery for Google Photos – Import and Showcase Photo Albums822161k+Input is not validated
#4019Hostinger Tools8213223m+wp function not compatible with requires wp
#4020Independent Analytics for MainWP82713700Nonce verification recommended
#4021Lazy Load for Videos826379k+Non-prefixed constant
#4022Multiple Form Instances Add-on for Gravity Forms8255800Missing direct file access protection
#4023Simple ads.txt82861k+Missing direct file access protection
#4024Tabs in Post Editor8247500Input is not validated
#4025Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products826102k+Missing nonce verification
#4026WP Fail2Ban Redux821107k+trademarked term
#4027WP Mail From II82375k+trademarked term
#4028Admin in English83471k+Input is not sanitized
#4029Browser Theme Color83422k+Output is not escaped
#4030Check Conflicts8336121k+Missing Arg Domain
#4031Max upload filesize83389k+Input is not validated
#4032Media Player Addons for Elementor – Audio and Video Widgets for Elementor83181k+Nonce verification recommended
#4033Relevanssi Light83323600Direct Query
#4034RumbleTalk Live Group Chat – HTML583913700Missing direct file access protection
#4035Swipe Slider – Make dynamic slider with solid, gradient, or image background832153k+Non-prefixed global variable
#4036Term Duplicator8356500Input is not sanitized
#4037SKU Label Changer For WooCommerce83811700Missing direct file access protection
#4038AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations8488203k+Text Domain Mismatch
#4039BinancePay Checkout for WooCommerce84514800Input is not validated
#4040Cache Buster8456400Input is not sanitized
#4041Change Admin Email844450k+Missing nonce verification
#4042Duplicate taxonomy terms and ACF fields8438500Input is not validated
#4043JWT Authentication for WP REST API84274160k+wp function not compatible with requires wp
#4044Safelayout Cute Preloader – CSS3 WordPress Preloader8431410k+Input is not validated
#4045Search by ID8435700Input is not sanitized
#4046WP Force Lowercase URLs84296k+trademarked term
#4047WP Link Preview8449500trademarked term
#4048Backlinks Saver85353k+Deprecated parameter value found
#4049Popups – Submission Messages For Contact Form 785273k+Input is not sanitized
#4050Easy UTM Tracking with Contact Form 7853102k+Input is not validated