WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5301 | Cloudflare SSL by Weslink | 90 | 3 | 7 | 2k+ | trademarked term | ||
| #5302 | Flipdish Ordering System | 90 | 5 | 11 | 400 | Non-prefixed function | ||
| #5303 | Nav Menu Item Duplicator | 90 | 16 | 4 | 500 | wp function not compatible with requires wp | ||
| #5304 | Page and Post Restriction | 90 | 14 | 3 | 2k+ | wp function not compatible with requires wp | ||
| #5305 | Pantheon HUD | 90 | 4 | 6 | 900 | Input is not sanitized | ||
| #5306 | PromPress | 90 | 8 | 4 | 700 | Missing direct file access protection | ||
| #5307 | Relevanssi Live Ajax Search | 90 | 4 | 22 | 6k+ | Non-prefixed global variable | ||
| #5308 | UltraAddons for Elementor | 90 | 65 | 2 | 600 | wp function not compatible with requires wp | ||
| #5309 | Viva.com | Smart Checkout for WooCommerce | 90 | 1 | 30 | 6k+ | Direct Query | ||
| #5310 | WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce | 90 | 20 | 20k+ | Non-prefixed function | |||
| #5311 | Zen Addons for SiteOrigin Page Builder | 90 | 1,369 | 127 | 1k+ | Text Domain Mismatch | ||
| #5312 | Astra Bulk Edit | 91 | 4 | 3 | 30k+ | Missing direct file access protection | ||
| #5313 | Blockenberg — 600+ Advanced Gutenberg Blocks for WordPress Block Editor | 91 | 4 | 6 | 600 | block api version too low | ||
| #5314 | Bold Page Builder | 91 | 12 | 38 | 40k+ | Not In Footer | ||
| #5315 | Cliengo – Chatbot | 91 | 4 | 7 | 2k+ | Input is not sanitized | ||
| #5316 | CryptoCloud – Crypto Payment Gateway | 91 | 13 | 6 | 400 | Text Domain Mismatch | ||
| #5317 | Icegram Engage – Popups, Optins, CTAs & Lead Generation | 91 | 14 | 10 | 10k+ | wp function not compatible with requires wp | ||
| #5318 | Icon List Block – Add Icon-Based Lists with Custom Styles | 91 | 3 | 7 | 4k+ | Not In Footer | ||
| #5319 | If Modified Since | 91 | 2 | 4 | 1k+ | Request data is not unslashed | ||
| #5320 | Ollie Menu Designer | 91 | 45 | 4k+ | Non-prefixed global variable | |||
| #5321 | PDF Embedder | 91 | 1 | 7 | 300k+ | Non-prefixed class | ||
| #5322 | Prevent Browser Caching | 91 | 9 | 10k+ | Input is not sanitized | |||
| #5323 | Query Loop Load More | 91 | 2 | 6 | 600 | Post Not In exclude | ||
| #5324 | Repeater Fields for Elementor Forms | 91 | 115 | 8 | 700 | wp function not compatible with requires wp | ||
| #5325 | Unveil Lazy Load | 91 | 2 | 6 | 2k+ | error log error log | ||
| #5326 | DearFlip – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer | 92 | 10 | 11 | 200k+ | Missing direct file access protection | ||
| #5327 | Coming Soon Maintenance Mode | 92 | 65 | 6k+ | Non-prefixed global variable | |||
| #5328 | Daisy Titles — Style & Hide Page and Post Titles | 92 | 1 | 5 | 3k+ | Discouraged text-domain loading | ||
| #5329 | GM Block Bots | 92 | 1 | 3 | 900 | Input is not sanitized | ||
| #5330 | Google Photos embed | 92 | 2 | 5 | 700 | trademarked term | ||
| #5331 | Import Export Menu | 92 | 7 | 2k+ | Input is not sanitized | |||
| #5332 | Phone Validator with Flags for WooCommerce | 92 | 3 | 2 | 800 | badly named files | ||
| #5333 | Verify domain for Apple Pay with Stripe | 92 | 3 | 2 | 600 | Input is not sanitized | ||
| #5334 | Address Book for WooCommerce | 92 | 12 | 6 | 4k+ | Text Domain Mismatch | ||
| #5335 | WooCommerce Accommodation Bookings | 92 | 1 | 91 | 1k+ | Non-prefixed global variable | ||
| #5336 | CF7 Mate – AI Form Builder, Styler & Multi-Step Forms for Contact Form 7 | 93 | 3 | 9 | 20k+ | Non-prefixed class | ||
| #5337 | Generate PDF using Contact Form 7 | 93 | 3 | 4k+ | Input is not sanitized | |||
| #5338 | Local Google Fonts | 93 | 3 | 15 | 100k+ | Non-prefixed global variable | ||
| #5339 | Modal Popup Box — Popup Maker & Popup Builder | 93 | 1 | 4 | 2k+ | Input is not sanitized | ||
| #5340 | ACF Photo Gallery Field | 93 | 2 | 3 | 60k+ | Input is not sanitized | ||
| #5341 | Weaver Show Posts | 93 | 2 | 5k+ | Input is not sanitized | |||
| #5342 | WPCopyRights网站防复制插件 | 93 | 1 | 33 | 500 | Non-prefixed global variable | ||
| #5343 | Easy Post Submission – Frontend Posting, Guest Publishing & Submit Content for WordPress | 94 | 1 | 18 | 3k+ | Non-prefixed hook name | ||
| #5344 | LovedByAI – Generative Engine Optimization, AI Search, GEO, AEO | 94 | 16 | 600 | Direct Query | |||
| #5345 | Media from ZIP | 94 | 5 | 16 | 600 | Non-prefixed global variable | ||
| #5346 | Moving Media Library | 94 | 3 | 27 | 2k+ | Direct Query | ||
| #5347 | WPBean Form Popup for WPForms and Contact Form 7 – Create Popup Forms Easily | 94 | 22 | 600 | Direct Query | |||
| #5348 | Bulk remove posts from category | 95 | 2 | 5 | 10k+ | date date | ||
| #5349 | PayHere Payment Gateway | 95 | 6 | 8 | 2k+ | Non-prefixed class | ||
| #5350 | Term Taxonomy Converter | 95 | 57 | 3 | 500 | Text Domain Mismatch |