WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4951 | Resume Builder | 74 | 20 | 59 | 1k+ | Non-prefixed global variable | ||
| #4952 | Show Pages IDs | 74 | 8 | 8 | 10k+ | Output is not escaped | ||
| #4953 | Widgets in Menu for WordPress | 74 | 16 | 12 | 8k+ | Text Domain Mismatch | ||
| #4954 | WP API SwaggerUI | 74 | 14 | 20 | 2k+ | Missing direct file access protection | ||
| #4955 | Force Login | 74 | 5 | 8 | 30k+ | Output is not escaped | ||
| #4956 | WP-Sweep | 74 | 1 | 201 | 100k+ | Direct Query | ||
| #4957 | WP Term Colors | 74 | 3 | 13 | 700 | Nonce verification recommended | ||
| #4958 | Acumbamail | 75 | 7 | 36 | 1k+ | Non-prefixed global variable | ||
| #4959 | Admin Locale | 75 | 12 | 10 | 6k+ | Missing Arg Domain | ||
| #4960 | Bulk Comments Management | 75 | 6 | 25 | 700 | Direct Query | ||
| #4961 | Custom field finder | 75 | 9 | 3 | 2k+ | Output is not escaped | ||
| #4962 | Custom Adobe Fonts (Typekit) | 75 | 11 | 33 | 60k+ | Non-prefixed global variable | ||
| #4963 | Delay Redirects | 75 | 5 | 8 | 900 | Request data is not unslashed | ||
| #4964 | En Spam | 75 | 21 | 6 | 500 | wp function not compatible with requires wp | ||
| #4965 | Force First and Last Name as Display Name | 75 | 5 | 12 | 2k+ | Missing nonce verification | ||
| #4966 | Hide Categories and Products for Woocommerce | 75 | 1 | 20 | 10k+ | Input is not sanitized | ||
| #4967 | Honeypot Anti Spam for Forminator Forms | 75 | 4 | 7 | 1k+ | Missing nonce verification | ||
| #4968 | Invoice Gateway for WooCommerce – Invoice Payment Gateway | 75 | 3 | 30 | 2k+ | Nonce verification recommended | ||
| #4969 | Media Search Enhanced | 75 | 4 | 23 | 4k+ | Non-prefixed hook name | ||
| #4970 | Open Graph Protocol Framework | 75 | 17 | 12 | 3k+ | Missing direct file access protection | ||
| #4971 | Order Delivery Date And Time | 75 | 26 | 28 | 1k+ | Text Domain Mismatch | ||
| #4972 | OXY Re-Login Window | 75 | 5 | 7 | 500 | Missing Version | ||
| #4973 | PopupAlly | 75 | 40 | 10 | 2k+ | Missing direct file access protection | ||
| #4974 | Post Type Switcher | 75 | 3 | 18 | 200k+ | Direct Query | ||
| #4975 | Rapyd Payment Extension for WooCommerce | 75 | 50 | 33 | 400 | Text Domain Mismatch | ||
| #4976 | reCAPTCHA for bbPress | 75 | 14 | 19 | 800 | Non-prefixed function | ||
| #4977 | Registration Form for WooCommerce | 75 | 5 | 42 | 900 | Non-prefixed global variable | ||
| #4978 | Checkout & Store Toolkit for WooCommerce | 75 | 21 | 900 | Nonce verification recommended | |||
| #4979 | Matterport Shortcode | 75 | 21 | 30 | 3k+ | Text Domain Mismatch | ||
| #4980 | Simple Taxonomy Ordering | 75 | 7 | 10 | 10k+ | Direct Query | ||
| #4981 | Styled Calendar – Customizable, Mobile Responsive Google Calendar Embeds | 75 | 8 | 8 | 1k+ | Exception output is not escaped | ||
| #4982 | Temporary Login | 75 | 3 | 25 | 40k+ | Nonce verification recommended | ||
| #4983 | Video Background Block – Use video as background in section. | 75 | 35 | 90 | 2k+ | Non-prefixed global variable | ||
| #4984 | Custom Product Tabs Lite for WooCommerce | 75 | 3 | 11 | 4k+ | Input is not validated | ||
| #4985 | Extra Product Sorting Options for WooCommerce | 75 | 10 | 16 | 10k+ | Text Domain Mismatch | ||
| #4986 | WP Hide Dashboard | 75 | 6 | 10 | 2k+ | trademarked term | ||
| #4987 | WP-HTML-Compression | 75 | 7 | 22 | 1k+ | Input is not sanitized | ||
| #4988 | WPC Variation Bulk Editor for WooCommerce | 75 | 7 | 22 | 1k+ | Output is not escaped | ||
| #4989 | YITH Slider for page builders | 75 | 13 | 22 | 1k+ | Nonce verification recommended | ||
| #4990 | Change Mail Sender | 76 | 97 | 19 | 20k+ | Text Domain Mismatch | ||
| #4991 | Leo Product Recommendations for WooCommerce | 76 | 3 | 79 | 400 | Short URL found | ||
| #4992 | Payment Gateway for Authorize.net for WooCommerce | 76 | 6 | 16 | 700 | Input is not sanitized | ||
| #4993 | Preload Images | 76 | 8 | 6 | 1k+ | Output is not escaped | ||
| #4994 | Rearrange Products for WooCommerce | 76 | 1 | 22 | 20k+ | Input is not sanitized | ||
| #4995 | Search Regex | 76 | 6 | 25 | 100k+ | Direct Query | ||
| #4996 | Smartideo | 76 | 8 | 3 | 1k+ | Output is not escaped | ||
| #4997 | Store file uploads for Contact Form 7 | 76 | 5 | 6 | 1k+ | Output is not escaped | ||
| #4998 | Category Order and Taxonomy Terms Order | 76 | 35 | 10 | 500k+ | wp function not compatible with requires wp | ||
| #4999 | The Future Is Now | 76 | 3 | 10 | 1k+ | Input is not sanitized | ||
| #5000 | WEN Featured Image | 76 | 1 | 18 | 3k+ | Input is not validated |