WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5101Flipbox8014172k+wp function not compatible with requires wp
#5102Fluent PDF Generator80102620k+Text Domain Mismatch
#5103Hizzle CAPTCHA – Protect your forms from spam80427500Non-prefixed global variable
#5104Image Captcha For Gravity Forms802010400Text Domain Mismatch
#5105Leadinfo801187k+Missing direct file access protection
#5106Plugin Toggle80212500Nonce verification recommended
#5107Pro Mime Types – Manage file media types8055982k+Non-prefixed global variable
#5108Quick Edit Yoast SEO80512900Request data is not unslashed
#5109RealHomes Currency Switcher8071421k+Non Singular String Literal Domain
#5110WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo805149k+wp function not compatible with requires wp
#5111Smart Passworded Pages801182k+wp function not compatible with requires wp
#5112Melapress File Monitor8016906k+Non-prefixed global variable
#5113Mini Cart Drawer For WooCommerce80425400Non-prefixed hook name
#5114GoCardless for WooCommerce80601k+Non-prefixed class
#5115WP Delete User Accounts80107800Missing direct file access protection
#5116atec Cache APCu8141213k+wp function not compatible with requires wp
#5117Authorsy – Author Box, Multiple Authors, Guest Authors & Post Rating811201k+Request data is not unslashed
#5118Auto iFrame812113k+Input is not sanitized
#5119Auto Post Expiration81124800Text Domain Mismatch
#5120Block Visibility — Conditional Visibility Control for the Block Editor8171140k+Input is not sanitized
#5121Change Permalink Helper8155900Direct Query
#5122Countdown Block8114104k+wp function not compatible with requires wp
#5123Joinchat – Enhanced "click to chat"811732700k+wp function not compatible with requires wp
#5124Disable Gutenberg Blocks – Block Manager816104k+trademarked term
#5125ERE Recently Viewed – Essential Real Estate Add-On81631k+Output is not escaped
#5126FAQ Schema For Pages And Posts815657k+Text Domain Mismatch
#5127MM Title Manager — Hide Page and Post Title81449k+Unsafe printing function
#5128Info Cards – Add Text and Media in Card Layouts817252k+Non-prefixed namespace
#5129Nice Search8145900Input is not sanitized
#5130Open in New Window Plugin81682k+Offloaded Content
#5131Physical Custom Upload Folder for Real Media Library8149900Nonce verification recommended
#5132Portfolio Block – The Ultimate Project & Portfolio Builder8165800Offloaded Content
#5133Post Type Archive Descriptions811141k+Missing direct file access protection
#5134Price Table Block811516900file system operations mkdir
#5135Progress Bars811514500file system operations mkdir
#5136Orphans8114350k+Dynamic hook name
#5137Simple Page Redirect813710k+Request data is not unslashed
#5138Stream8158080k+Direct Query
#5139Team Member Block8115141k+file system operations mkdir
#5140Toggle Content811612700file system operations mkdir
#5141Typing Text811516600file system operations mkdir
#5142Appointment Bookings for Zoom GoogleMeet and more – Wappointment8122521k+Non-prefixed class
#5143Free Shipping Bar for WooCommerce815212k+Non-prefixed global variable
#5144ShipStation for WooCommerce813440k+Non-prefixed class
#5145WP Subtitle8173310k+Non-prefixed hook name
#5146Admin Collapse Subpages824124k+Nonce verification recommended
#5147Advance Canonical URL823101k+Input is not validated
#5148Intranet & Private Site – All-In-One Intranet821114k+Input is not sanitized
#5149Bulk Menu Edit8249700Direct Query
#5150Catch Gallery8213510k+Non-prefixed hook name