WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5351Media from ZIP94516600Non-prefixed global variable
#5352Moving Media Library943272k+Direct Query
#5353WPBean Form Popup for WPForms and Contact Form 7 – Create Popup Forms Easily9422600Direct Query
#5354Pricing Table – Block – Show Product or Service Pricing in Table Format9572k+Non-prefixed global variable
#5355Bulk remove posts from category952510k+date date
#5356PayHere Payment Gateway95682k+Non-prefixed class
#5357Term Taxonomy Converter95573500Text Domain Mismatch
#5358Upload Converter for WebP9513400Input is not sanitized
#5359WPVulnerability96410k+trademarked term
#5360All-in-One Sticky Anything – Click to Call, Fixed Widget, Sticky Header, Menu & Sidebar9731k+Discouraged text-domain loading
#5361Spectre Icons971400Input is not sanitized
#5362Warder Cookie Consent9720Input is not sanitized