WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5351 | Media from ZIP | 94 | 5 | 16 | 600 | Non-prefixed global variable | ||
| #5352 | Moving Media Library | 94 | 3 | 27 | 2k+ | Direct Query | ||
| #5353 | WPBean Form Popup for WPForms and Contact Form 7 – Create Popup Forms Easily | 94 | 22 | 600 | Direct Query | |||
| #5354 | Pricing Table – Block – Show Product or Service Pricing in Table Format | 95 | 7 | 2k+ | Non-prefixed global variable | |||
| #5355 | Bulk remove posts from category | 95 | 2 | 5 | 10k+ | date date | ||
| #5356 | PayHere Payment Gateway | 95 | 6 | 8 | 2k+ | Non-prefixed class | ||
| #5357 | Term Taxonomy Converter | 95 | 57 | 3 | 500 | Text Domain Mismatch | ||
| #5358 | Upload Converter for WebP | 95 | 1 | 3 | 400 | Input is not sanitized | ||
| #5359 | WPVulnerability | 96 | 4 | 10k+ | trademarked term | |||
| #5360 | All-in-One Sticky Anything – Click to Call, Fixed Widget, Sticky Header, Menu & Sidebar | 97 | 3 | 1k+ | Discouraged text-domain loading | |||
| #5361 | Spectre Icons | 97 | 1 | 400 | Input is not sanitized | |||
| #5362 | Warder Cookie Consent | 97 | 2 | 0 | Input is not sanitized |