WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | Filter Everything — WordPress & WooCommerce Filters | 20 | 568 | 730 | 50k+ | Output is not escaped | ||
| #52 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,428 | 3,559 | 100k+ | Output is not escaped | ||
| #53 | GoUrl Bitcoin Payment Gateway & Paid Downloads & Membership | 20 | 1,832 | 720 | 800 | Non Singular String Literal Domain | ||
| #54 | Leaky Paywall | 20 | 320 | 782 | 700 | Nonce verification recommended | ||
| #55 | Link Library | 20 | 1,941 | 1,397 | 10k+ | Unsafe printing function | ||
| #56 | MBE eShip | 20 | 527 | 740 | 1k+ | Non-prefixed global variable | ||
| #57 | Brevo – Email, SMS, Web Push, Chat, and more. | 20 | 460 | 646 | 100k+ | Request data is not unslashed | ||
| #58 | MAS Videos | 20 | 519 | 1,693 | 1k+ | Non-prefixed global variable | ||
| #59 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 20 | 1,297 | 2,680 | 9k+ | Output is not escaped | ||
| #60 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | Non-prefixed global variable | ||
| #61 | Nimble Page Builder | 20 | 1,591 | 1,684 | 30k+ | Missing Arg Domain | ||
| #62 | Shipping for Nova Poshta | 20 | 598 | 923 | 500 | Output is not escaped | ||
| #63 | پلاگین پرداخت دلخواه | 20 | 584 | 446 | 900 | Text Domain Mismatch | ||
| #64 | PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) | 20 | 440 | 750 | 400 | Missing direct file access protection | ||
| #65 | Pix por Piggly (para Woocommerce) | 20 | 547 | 195 | 4k+ | Exception output is not escaped | ||
| #66 | Powered Cache – Caching and Optimization for WordPress – Easily Improve PageSpeed & Web Vitals Score | 20 | 147 | 231 | 3k+ | Exception output is not escaped | ||
| #67 | Quill Forms | Conversational Multi Step Forms, Surveys & quizzes | 20 | 401 | 368 | 3k+ | Text Domain Mismatch | ||
| #68 | Razorpay Payment Button Elementor Plugin | 20 | 479 | 62 | 1k+ | Exception output is not escaped | ||
| #69 | Remove Add to Cart WooCommerce | 20 | 616 | 1,378 | 4k+ | Non-prefixed global variable | ||
| #70 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | Output is not escaped | ||
| #71 | SpeakOut! Email Petitions | 20 | 850 | 994 | 3k+ | Missing nonce verification | ||
| #72 | Events Manager – OpenStreetMaps | 20 | 559 | 444 | 700 | Output is not escaped | ||
| #73 | Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts | 20 | 866 | 338 | 1k+ | wp function not compatible with requires wp | ||
| #74 | Web Directory Free | 20 | 808 | 174 | 400 | Missing direct file access protection | ||
| #75 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | Non-prefixed function | ||
| #76 | WP Minify Fix | 20 | 306 | 380 | 800 | Output is not escaped | ||
| #77 | Premium Packages – Sell Digital Products Securely | 20 | 2,027 | 2,234 | 3k+ | Non-prefixed global variable | ||
| #78 | WPJAM Basic | 20 | 328 | 356 | 4k+ | Output is not escaped | ||
| #79 | School Management System – WPSchoolPress | 20 | 353 | 5,275 | 1k+ | Non-prefixed global variable | ||
| #80 | Store Locator WordPress | 21 | 2,372 | 1,572 | 10k+ | Text Domain Mismatch | ||
| #81 | Backup Migration | 21 | 981 | 1,093 | 80k+ | Non-prefixed global variable | ||
| #82 | Forumax – AI Powered Advanced Community Forum Plugin | 21 | 4,936 | 4,357 | 600 | Text Domain Mismatch | ||
| #83 | bbPress | 21 | 929 | 3,672 | 100k+ | Non-prefixed function | ||
| #84 | Pinpoint Booking System – Version 2 | 21 | 634 | 328 | 3k+ | Missing direct file access protection | ||
| #85 | Booking Ultra Pro Appointments Booking Calendar Plugin | 21 | 761 | 2,083 | 400 | Request data is not unslashed | ||
| #86 | rtMedia for WordPress, BuddyPress and bbPress | 21 | 363 | 633 | 8k+ | Non-prefixed constant | ||
| #87 | BWD Elementor Addons | 21 | 670 | 1,168 | 400 | Non-prefixed global variable | ||
| #88 | CallTrackingMetrics | 21 | 923 | 286 | 3k+ | Unsafe printing function | ||
| #89 | Captcha Them All | 21 | 300 | 323 | 6k+ | Output is not escaped | ||
| #90 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 462 | 654 | 200k+ | Text Domain Mismatch | ||
| #91 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | Output is not escaped | ||
| #92 | SMS Extension for Contact Form 7 | 21 | 720 | 1,387 | 400 | Non-prefixed global variable | ||
| #93 | Comet Cache | 21 | 857 | 245 | 20k+ | Output is not escaped | ||
| #94 | Cost Calculator Builder | 21 | 322 | 766 | 30k+ | Non-prefixed global variable | ||
| #95 | Daily Prayer Time | 21 | 947 | 1,780 | 1k+ | Non-prefixed global variable | ||
| #96 | DELUCKS SEO | 21 | 362 | 1,171 | 400 | Missing nonce verification | ||
| #97 | Free Downloads WooCommerce | 21 | 430 | 359 | 4k+ | Output is not escaped | ||
| #98 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | Output is not escaped | ||
| #99 | Ebook Store | 21 | 666 | 1,087 | 700 | Non-prefixed global variable | ||
| #100 | Envo Extra | 21 | 878 | 600 | 20k+ | Text Domain Mismatch |