WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5151 | Head & Footer Code | 82 | 1 | 15 | 100k+ | Non-prefixed constant | ||
| #5152 | Hostinger Tools | 82 | 13 | 22 | 3m+ | wp function not compatible with requires wp | ||
| #5153 | Image Gallery Block | 82 | 13 | 10 | 3k+ | wp function not compatible with requires wp | ||
| #5154 | Infobox | 82 | 15 | 12 | 1k+ | file system operations mkdir | ||
| #5155 | Lazy Load for Videos | 82 | 6 | 37 | 9k+ | Non-prefixed constant | ||
| #5156 | Meks Easy Maps | 82 | 13 | 13 | 900 | Input is not sanitized | ||
| #5157 | Multiple Form Instances Add-on for Gravity Forms | 82 | 5 | 5 | 800 | Missing direct file access protection | ||
| #5158 | mypace Custom Meta Robots | 82 | 4 | 6 | 2k+ | Input is not sanitized | ||
| #5159 | Parallax Slider Block | 82 | 15 | 12 | 1k+ | file system operations mkdir | ||
| #5160 | Preferred Languages | 82 | 3 | 6 | 2k+ | Input is not sanitized | ||
| #5161 | Regenerate Thumbnails | 82 | 10 | 9 | 1m+ | Direct Query | ||
| #5162 | Simple Page Ordering | 82 | 11 | 9 | 100k+ | Missing Arg Domain | ||
| #5163 | Image Slider Block | 82 | 13 | 14 | 3k+ | wp function not compatible with requires wp | ||
| #5164 | Sticky Content – Make Any Section Sticky on Scroll | 82 | 24 | 9 | 400 | Text Domain Mismatch | ||
| #5165 | Sucuri Security – Auditing, Malware Scanner and Security Hardening | 82 | 51 | 11 | 600k+ | Missing direct file access protection | ||
| #5166 | Tabs in Post Editor | 82 | 4 | 7 | 500 | Input is not validated | ||
| #5167 | Testimonial Block | 82 | 13 | 12 | 500 | wp function not compatible with requires wp | ||
| #5168 | Unyson WooComerce Shortcodes | 82 | 117 | 11 | 1k+ | Text Domain Mismatch | ||
| #5169 | Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products | 82 | 6 | 10 | 2k+ | Missing nonce verification | ||
| #5170 | WP Fail2Ban Redux | 82 | 1 | 10 | 7k+ | trademarked term | ||
| #5171 | WP Mail From II | 82 | 3 | 7 | 5k+ | trademarked term | ||
| #5172 | Xpro Theme Builder For Elementor – FREE | 82 | 14 | 28 | 10k+ | Missing direct file access protection | ||
| #5173 | Admin in English | 83 | 4 | 7 | 1k+ | Input is not sanitized | ||
| #5174 | Check Conflicts | 83 | 36 | 12 | 1k+ | Missing Arg Domain | ||
| #5175 | Event Organiser Posterboard | 83 | 3 | 11 | 1k+ | Nonce verification recommended | ||
| #5176 | AI Builder | 83 | 3 | 5 | 400 | Output is not escaped | ||
| #5177 | GET Params | 83 | 3 | 8 | 1k+ | Nonce verification recommended | ||
| #5178 | HREFLANG Tags Management By Webnow | 83 | 2 | 34 | 600 | Non-prefixed global variable | ||
| #5179 | JSM Force HTTP to HTTPS / SSL – No Setup, Fast and Reliable | 83 | 11 | 7k+ | Request data is not unslashed | |||
| #5180 | All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login | 83 | 182 | 22 | 600 | wp function not compatible with requires wp | ||
| #5181 | Media Player Addons for Elementor – Audio and Video Widgets for Elementor | 83 | 1 | 8 | 1k+ | Nonce verification recommended | ||
| #5182 | Menu Duplicator | 83 | 2 | 9 | 10k+ | Non-prefixed constant | ||
| #5183 | Photo Sphere Viewer – 360° Panorama, Virtual Tour, 360 Video & AR 3D Model Viewer | 83 | 13 | 10 | 500 | wp function not compatible with requires wp | ||
| #5184 | Preserve Editor Scroll Position | 83 | 2 | 6 | 4k+ | Missing nonce verification | ||
| #5185 | Relevanssi Light | 83 | 3 | 23 | 600 | Direct Query | ||
| #5186 | RumbleTalk Live Group Chat – HTML5 | 83 | 9 | 13 | 700 | Missing direct file access protection | ||
| #5187 | Lightweight Sidebar Manager | 83 | 13 | 36 | 80k+ | Non-prefixed class | ||
| #5188 | Soro – SEO Autopilot & AI Content Writer | 83 | 4 | 10 | 10k+ | Input is not sanitized | ||
| #5189 | Swipe Slider – Make dynamic slider with solid, gradient, or image background | 83 | 2 | 15 | 3k+ | Non-prefixed global variable | ||
| #5190 | TCD Classic Editor | 83 | 1 | 11 | 5k+ | Nonce verification recommended | ||
| #5191 | Team Section Block – Showcase Team Members with Layout Options | 83 | 1 | 21 | 1k+ | Non-prefixed namespace | ||
| #5192 | Template Kit – Export | 83 | 7 | 90 | 8k+ | Non-prefixed global variable | ||
| #5193 | Term Duplicator | 83 | 5 | 6 | 500 | Input is not sanitized | ||
| #5194 | Unlist Posts & Pages | 83 | 5 | 9 | 10k+ | Nonce verification recommended | ||
| #5195 | SKU Label Changer For WooCommerce | 83 | 8 | 11 | 700 | Missing direct file access protection | ||
| #5196 | WP BASIC Auth | 83 | 4 | 13 | 4k+ | Input is not sanitized | ||
| #5197 | Campo RUT para CF7 | 84 | 6 | 7 | 600 | Missing nonce verification | ||
| #5198 | Add Descendants As Submenu Items | 84 | 3 | 8 | 2k+ | Missing nonce verification | ||
| #5199 | AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations | 84 | 88 | 20 | 3k+ | Text Domain Mismatch | ||
| #5200 | Cache Buster | 84 | 5 | 6 | 400 | Input is not sanitized |