WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5001 | The Future Is Now | 76 | 3 | 10 | 1k+ | Input is not sanitized | ||
| #5002 | WEN Featured Image | 76 | 1 | 18 | 3k+ | Input is not validated | ||
| #5003 | Pelecard Gateway | 76 | 295 | 54 | 400 | Text Domain Mismatch | ||
| #5004 | Hide Dashboard Notifications | 76 | 10 | 10 | 20k+ | Output is not escaped | ||
| #5005 | WP AdCenter – Ad Manager & Adsense Ads | 76 | 5 | 71 | 1k+ | Direct Query | ||
| #5006 | ACF Galerie 4 | 77 | 16 | 23 | 2k+ | Text Domain Mismatch | ||
| #5007 | Always Edit In HTML | 77 | 7 | 5 | 1k+ | Output is not escaped | ||
| #5008 | Backup/Restore Divi Theme Options | 77 | 8 | 8 | 700 | Input is not validated | ||
| #5009 | Before After Image Comparison – Visual Comparison for Two Images | 77 | 18 | 16 | 3k+ | Text Domain Mismatch | ||
| #5010 | Custom Profile Menu for BuddyPress | 77 | 8 | 4 | 400 | Output is not escaped | ||
| #5011 | Canonical SEO Content Syndication WordPress Plugin | 77 | 4 | 8 | 400 | Missing nonce verification | ||
| #5012 | Honeypot Plus for Contact Form 7 | 77 | 3 | 17 | 700 | Missing nonce verification | ||
| #5013 | Color Your Bar | 77 | 5 | 10 | 400 | Input is not sanitized | ||
| #5014 | CodeKit – Custom Codes Editor | 77 | 11 | 29 | 5k+ | Non-prefixed global variable | ||
| #5015 | Custom Fonts – Host Your Fonts Locally | 77 | 14 | 20 | 400k+ | Request data is not unslashed | ||
| #5016 | Custom HTML Block Extension | 77 | 8 | 13 | 7k+ | Missing direct file access protection | ||
| #5017 | Disable WP Registration Page Spam | 77 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #5018 | easypay Gateway Checkout for WooCommerce | 77 | 6 | 42 | 600 | Nonce verification recommended | ||
| #5019 | Ecomail | 77 | 7 | 13 | 1k+ | Non-prefixed global variable | ||
| #5020 | eSewa – Nepal First Payment Gateway | 77 | 48 | 9 | 600 | Text Domain Mismatch | ||
| #5021 | WP-FormAssembly | 77 | 4 | 15 | 2k+ | Nonce verification recommended | ||
| #5022 | Embed Files from Google Drive | 77 | 4 | 35 | 5k+ | Nonce verification recommended | ||
| #5023 | Ilmenite Cookie Consent | 77 | 6 | 11 | 2k+ | Setting is missing a sanitization callback | ||
| #5024 | Internet Archive Wayback Machine Link Fixer | 77 | 2 | 22 | 1k+ | Database parameter is not escaped | ||
| #5025 | Photo & Video Gallery – Image, Video & Portfolio | 77 | 4 | 10 | 1k+ | Missing Version | ||
| #5026 | Simple Floating Menu | 77 | 13 | 3 | 10k+ | Missing direct file access protection | ||
| #5027 | Table Of Contents Block | 77 | 15 | 8 | 10k+ | wp function not compatible with requires wp | ||
| #5028 | Template Kit – Import | 77 | 41 | 60 | 400k+ | Non-prefixed global variable | ||
| #5029 | Toggle wpautop | 77 | 4 | 15 | 9k+ | trademarked term | ||
| #5030 | Unattach | 77 | 4 | 11 | 900 | Nonce verification recommended | ||
| #5031 | UsageDD | 77 | 8 | 3 | 1k+ | Output is not escaped | ||
| #5032 | Username | 77 | 5 | 8 | 700 | Deprecated function: screen_icon | ||
| #5033 | Widget Classes | 77 | 5 | 7 | 1k+ | Missing nonce verification | ||
| #5034 | Album Photostream Flickr Gallery | 77 | 30 | 31 | 1k+ | Text Domain Mismatch | ||
| #5035 | Lorem Ipsum Generator | 77 | 7 | 9 | 500 | Missing direct file access protection | ||
| #5036 | WP Night Mode | 77 | 8 | 11 | 700 | Non-prefixed function | ||
| #5037 | WP Upload Size | 77 | 6 | 14 | 2k+ | Non-prefixed function | ||
| #5038 | Pay with PAYUNi | 77 | 9 | 13 | 500 | Input is not sanitized | ||
| #5039 | Instant AI Image Generator – Create & Import Images | 78 | 23 | 1k+ | Non-prefixed constant | |||
| #5040 | Animated Text Block – Add Typing and Looping Text Effects | 78 | 5 | 25 | 4k+ | Non-prefixed class | ||
| #5041 | Bookvault | 78 | 13 | 10 | 700 | Nonce verification recommended | ||
| #5042 | Date Picker For Contact Form 7 | 78 | 3 | 8 | 4k+ | Missing nonce verification | ||
| #5043 | Forget About Shortcode Buttons | 78 | 11 | 25 | 20k+ | Missing direct file access protection | ||
| #5044 | Interact: Embed A Quiz On Your Site | 78 | 6 | 13 | 3k+ | Request data is not unslashed | ||
| #5045 | Layouts for Elementor | 78 | 27 | 1k+ | Non-prefixed global variable | |||
| #5046 | Layouts for WPBakery | 78 | 28 | 3k+ | Non-prefixed global variable | |||
| #5047 | LH HSTS | 78 | 3 | 12 | 600 | Input is not sanitized | ||
| #5048 | Login Widget for Ultimate Member | 78 | 10 | 10 | 600 | Input is not sanitized | ||
| #5049 | Maintenance Notice | 78 | 26 | 71 | 800 | Non-prefixed global variable | ||
| #5050 | More Mails for CF7 | 78 | 13 | 6 | 500 | Text Domain Mismatch |