WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5001The Future Is Now763101k+Input is not sanitized
#5002WEN Featured Image761183k+Input is not validated
#5003Pelecard Gateway7629554400Text Domain Mismatch
#5004Hide Dashboard Notifications76101020k+Output is not escaped
#5005WP AdCenter – Ad Manager & Adsense Ads765711k+Direct Query
#5006ACF Galerie 47716232k+Text Domain Mismatch
#5007Always Edit In HTML77751k+Output is not escaped
#5008Backup/Restore Divi Theme Options7788700Input is not validated
#5009Before After Image Comparison – Visual Comparison for Two Images7718163k+Text Domain Mismatch
#5010Custom Profile Menu for BuddyPress7784400Output is not escaped
#5011Canonical SEO Content Syndication WordPress Plugin7748400Missing nonce verification
#5012Honeypot Plus for Contact Form 777317700Missing nonce verification
#5013Color Your Bar77510400Input is not sanitized
#5014CodeKit – Custom Codes Editor7711295k+Non-prefixed global variable
#5015Custom Fonts – Host Your Fonts Locally771420400k+Request data is not unslashed
#5016Custom HTML Block Extension778137k+Missing direct file access protection
#5017Disable WP Registration Page Spam775121k+Nonce verification recommended
#5018easypay Gateway Checkout for WooCommerce77642600Nonce verification recommended
#5019Ecomail777131k+Non-prefixed global variable
#5020eSewa – Nepal First Payment Gateway77489600Text Domain Mismatch
#5021WP-FormAssembly774152k+Nonce verification recommended
#5022Embed Files from Google Drive774355k+Nonce verification recommended
#5023Ilmenite Cookie Consent776112k+Setting is missing a sanitization callback
#5024Internet Archive Wayback Machine Link Fixer772221k+Database parameter is not escaped
#5025Photo & Video Gallery – Image, Video & Portfolio774101k+Missing Version
#5026Simple Floating Menu7713310k+Missing direct file access protection
#5027Table Of Contents Block7715810k+wp function not compatible with requires wp
#5028Template Kit – Import774160400k+Non-prefixed global variable
#5029Toggle wpautop774159k+trademarked term
#5030Unattach77411900Nonce verification recommended
#5031UsageDD77831k+Output is not escaped
#5032Username7758700Deprecated function: screen_icon
#5033Widget Classes77571k+Missing nonce verification
#5034Album Photostream Flickr Gallery7730311k+Text Domain Mismatch
#5035Lorem Ipsum Generator7779500Missing direct file access protection
#5036WP Night Mode77811700Non-prefixed function
#5037WP Upload Size776142k+Non-prefixed function
#5038Pay with PAYUNi77913500Input is not sanitized
#5039Instant AI Image Generator – Create & Import Images78231k+Non-prefixed constant
#5040Animated Text Block – Add Typing and Looping Text Effects785254k+Non-prefixed class
#5041Bookvault781310700Nonce verification recommended
#5042Date Picker For Contact Form 778384k+Missing nonce verification
#5043Forget About Shortcode Buttons78112520k+Missing direct file access protection
#5044Interact: Embed A Quiz On Your Site786133k+Request data is not unslashed
#5045Layouts for Elementor78271k+Non-prefixed global variable
#5046Layouts for WPBakery78283k+Non-prefixed global variable
#5047LH HSTS78312600Input is not sanitized
#5048Login Widget for Ultimate Member781010600Input is not sanitized
#5049Maintenance Notice782671800Non-prefixed global variable
#5050More Mails for CF778136500Text Domain Mismatch