WordPress.Security.ValidatedSanitizedInput.InputNotValidated

Input is not validated

Request data is used without checking that it is allowed for the operation.

critical weight

Why It Shows Up

The scan found input from a request superglobal being used without validation such as capability checks, allowlists, type checks, or range checks.

Why It Matters

Sanitization cleans a value, but validation proves the value is acceptable. Missing validation can allow unexpected actions, invalid states, or unsafe query choices.

How to Fix

  • Check that IDs are positive integers, enum-like values are in an allowlist, and URLs or file paths are constrained.
  • Pair state-changing requests with nonce and capability checks.
  • Reject or safely default values that do not pass validation.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4051HSTS Ready853113k+Input is not validated
#4052Jotform – AI Chatbot8585k+Input is not validated
#4053MD5 Media Renamer85819400Non-prefixed global variable
#4054PlayerJS – Free Custom HTML5 Video and Audio Player Builder851131k+Missing Version
#4055Remove Footer Credit8573170k+Non-prefixed global variable
#4056Social Share Button8517071k+Non-prefixed global variable
#4057Static 40485173k+Input is not sanitized
#4058StoreOne Extension85687400Text Domain Mismatch
#4059TinyMCE Color Picker85271k+Input is not sanitized
#4060Widget CSS Classes8547880k+Non Singular String Literal Domain
#4061Catch Breadcrumb861292k+Non-prefixed global variable
#4062Classic Editor +861440k+Input is not sanitized
#4063Easy Demo Import for Omega Themes8656400Text Domain Mismatch
#4064Greenshift Smart Code AI86991k+Request data is not unslashed
#4065Nice page transition864121k+Direct Query
#4066Catch Infinite Scroll872010k+Non-prefixed global variable
#4067Booking Engine by Lodgify87515700Non-prefixed global variable
#4068Manage/View Your Posts Only8753400Input is not sanitized
#4069Export Single Post Page87362k+Nonce verification recommended
#4070Redirect 404 to Homepage884470k+parse url parse url
#4071Add URL Slugs as Body Classes8843700Input is not sanitized
#4072Blogify-AI88612400Non-prefixed global variable
#4073Captcha by Yandex for Contact Form 7889123k+Text Domain Mismatch
#4074Catch IDs881620k+Non-prefixed global variable
#4075Disable Registration Page8846400Text Domain Mismatch
#4076Organic Profile Block88361k+Input is not validated
#4077ProScores – Live Scores88124800wp function not compatible with requires wp
#4078Regen. Thumbs8833400Input is not sanitized
#4079WPBakery Page Builder Simple All Responsive88461k+Missing direct file access protection
#4080A Random Number8935800Non-prefixed function
#4081Animate on Scroll89244k+Input is not validated
#4082Document Embedder Addons for Elementor – Embed Documents in Elementor Websites8946k+Input is not validated
#4083Location Pack for WooCommerce8914800Non-prefixed global variable
#4084WP Featherlight Disabled895112k+trademarked term
#4085Content Anchor Links90651k+Non-prefixed hook name
#4086Fusion Page Builder : Extension – Button9045400Input is not validated
#4087Reading Position Indicator90223800Dynamic hook name
#4088Viva.com | Smart Checkout for WooCommerce901306k+Direct Query
#4089WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce902020k+Non-prefixed function
#4090Ads.txt Manager9244100k+Missing direct file access protection
#4091Weaver Show Posts9325k+Input is not sanitized
#4092Organic Widget Area Block9454800Text Domain Mismatch
#4093YLabs Connector for WPWriter9458800Forbidden PHP function found
#4094Paydibs Gateway for WooCommerce95141k+Discouraged text-domain loading
#4095WPC Buy Now Button for WooCommerce951810k+Non-prefixed class
#4096Mobile Call Buttons9711500Input is not validated