WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5101 | Flipbox | 80 | 14 | 17 | 2k+ | wp function not compatible with requires wp | ||
| #5102 | Fluent PDF Generator | 80 | 102 | 6 | 20k+ | Text Domain Mismatch | ||
| #5103 | Hizzle CAPTCHA – Protect your forms from spam | 80 | 4 | 27 | 500 | Non-prefixed global variable | ||
| #5104 | Image Captcha For Gravity Forms | 80 | 20 | 10 | 400 | Text Domain Mismatch | ||
| #5105 | Leadinfo | 80 | 11 | 8 | 7k+ | Missing direct file access protection | ||
| #5106 | Plugin Toggle | 80 | 2 | 12 | 500 | Nonce verification recommended | ||
| #5107 | Pro Mime Types – Manage file media types | 80 | 55 | 98 | 2k+ | Non-prefixed global variable | ||
| #5108 | Quick Edit Yoast SEO | 80 | 5 | 12 | 900 | Request data is not unslashed | ||
| #5109 | RealHomes Currency Switcher | 80 | 71 | 42 | 1k+ | Non Singular String Literal Domain | ||
| #5110 | WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo | 80 | 5 | 14 | 9k+ | wp function not compatible with requires wp | ||
| #5111 | Smart Passworded Pages | 80 | 11 | 8 | 2k+ | wp function not compatible with requires wp | ||
| #5112 | Melapress File Monitor | 80 | 16 | 90 | 6k+ | Non-prefixed global variable | ||
| #5113 | Mini Cart Drawer For WooCommerce | 80 | 4 | 25 | 400 | Non-prefixed hook name | ||
| #5114 | GoCardless for WooCommerce | 80 | 60 | 1k+ | Non-prefixed class | |||
| #5115 | WP Delete User Accounts | 80 | 10 | 7 | 800 | Missing direct file access protection | ||
| #5116 | atec Cache APCu | 81 | 41 | 21 | 3k+ | wp function not compatible with requires wp | ||
| #5117 | Authorsy – Author Box, Multiple Authors, Guest Authors & Post Rating | 81 | 1 | 20 | 1k+ | Request data is not unslashed | ||
| #5118 | Auto iFrame | 81 | 2 | 11 | 3k+ | Input is not sanitized | ||
| #5119 | Auto Post Expiration | 81 | 12 | 4 | 800 | Text Domain Mismatch | ||
| #5120 | Block Visibility — Conditional Visibility Control for the Block Editor | 81 | 7 | 11 | 40k+ | Input is not sanitized | ||
| #5121 | Change Permalink Helper | 81 | 5 | 5 | 900 | Direct Query | ||
| #5122 | Countdown Block | 81 | 14 | 10 | 4k+ | wp function not compatible with requires wp | ||
| #5123 | Joinchat – Enhanced "click to chat" | 81 | 17 | 32 | 700k+ | wp function not compatible with requires wp | ||
| #5124 | Disable Gutenberg Blocks – Block Manager | 81 | 6 | 10 | 4k+ | trademarked term | ||
| #5125 | ERE Recently Viewed – Essential Real Estate Add-On | 81 | 6 | 3 | 1k+ | Output is not escaped | ||
| #5126 | FAQ Schema For Pages And Posts | 81 | 56 | 5 | 7k+ | Text Domain Mismatch | ||
| #5127 | MM Title Manager — Hide Page and Post Title | 81 | 4 | 4 | 9k+ | Unsafe printing function | ||
| #5128 | Info Cards – Add Text and Media in Card Layouts | 81 | 7 | 25 | 2k+ | Non-prefixed namespace | ||
| #5129 | Nice Search | 81 | 4 | 5 | 900 | Input is not sanitized | ||
| #5130 | Open in New Window Plugin | 81 | 6 | 8 | 2k+ | Offloaded Content | ||
| #5131 | Physical Custom Upload Folder for Real Media Library | 81 | 4 | 9 | 900 | Nonce verification recommended | ||
| #5132 | Portfolio Block – The Ultimate Project & Portfolio Builder | 81 | 6 | 5 | 800 | Offloaded Content | ||
| #5133 | Post Type Archive Descriptions | 81 | 11 | 4 | 1k+ | Missing direct file access protection | ||
| #5134 | Price Table Block | 81 | 15 | 16 | 900 | file system operations mkdir | ||
| #5135 | Progress Bars | 81 | 15 | 14 | 500 | file system operations mkdir | ||
| #5136 | Orphans | 81 | 1 | 43 | 50k+ | Dynamic hook name | ||
| #5137 | Simple Page Redirect | 81 | 3 | 7 | 10k+ | Request data is not unslashed | ||
| #5138 | Stream | 81 | 5 | 80 | 80k+ | Direct Query | ||
| #5139 | Team Member Block | 81 | 15 | 14 | 1k+ | file system operations mkdir | ||
| #5140 | Toggle Content | 81 | 16 | 12 | 700 | file system operations mkdir | ||
| #5141 | Typing Text | 81 | 15 | 16 | 600 | file system operations mkdir | ||
| #5142 | Appointment Bookings for Zoom GoogleMeet and more – Wappointment | 81 | 22 | 52 | 1k+ | Non-prefixed class | ||
| #5143 | Free Shipping Bar for WooCommerce | 81 | 5 | 21 | 2k+ | Non-prefixed global variable | ||
| #5144 | ShipStation for WooCommerce | 81 | 34 | 40k+ | Non-prefixed class | |||
| #5145 | WP Subtitle | 81 | 7 | 33 | 10k+ | Non-prefixed hook name | ||
| #5146 | Admin Collapse Subpages | 82 | 4 | 12 | 4k+ | Nonce verification recommended | ||
| #5147 | Advance Canonical URL | 82 | 3 | 10 | 1k+ | Input is not validated | ||
| #5148 | Intranet & Private Site – All-In-One Intranet | 82 | 1 | 11 | 4k+ | Input is not sanitized | ||
| #5149 | Bulk Menu Edit | 82 | 4 | 9 | 700 | Direct Query | ||
| #5150 | Catch Gallery | 82 | 1 | 35 | 10k+ | Non-prefixed hook name |