WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1001Timeline Express255311479k+Text Domain Mismatch
#1002Toocheke Companion254291,2271k+Non-prefixed global variable
#1003Travelly – Tour & Travel Booking Manager for WooCommerce | Tour & Hotel Booking Plugin251737261k+Non-prefixed global variable
#1004Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin251192,7042k+Non-prefixed global variable
#1005TrackShip for WooCommerce254059546k+Non-prefixed global variable
#1006TrueBooker – Appointment Booking and Scheduler System255292,748600Non-prefixed global variable
#1007Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor256911,58150k+Non-prefixed global variable
#1008Ultimate Bootstrap Elements for Elementor256,3261226k+Text Domain Mismatch
#1009Social Media Share Buttons & Social Sharing Icons252,4331,383100k+Unsafe printing function
#1010Social Share Icons & Social Share Buttons252,3651,35710k+Output is not escaped
#1011Vayu Blocks – Website Builder for the Gutenberg Block Editor251742331k+Text Domain Mismatch
#1012VikAppointments Services Booking Calendar259,7535,207500Output is not escaped
#1013VikBooking Hotel Booking Engine & PMS2513,2518,3168k+Output is not escaped
#1014VikRentCar Car Rental Management System255,5375,0484k+Non-prefixed global variable
#1015VikRestaurants Table Reservations and Take-Away2511,6444,932600Output is not escaped
#10163D viewer by Visody258321,3221k+Non-prefixed global variable
#1017Product Customer List for WooCommerce256101,3349k+Non-prefixed global variable
#1018weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot252795184k+Non-prefixed global variable
#1019weForms – Easy Drag & Drop Contact Form Builder For WordPress2591645010k+Output is not escaped
#1020Advanced Shipment Tracking for WooCommerce2549970460k+Non-prefixed global variable
#1021Secure Gateway for Authorize.net and WooCommerce by Pledged Plugins259071,41810k+Non-prefixed global variable
#1022Bulk Edit Products for WooCommerce – WP Sheet Editor2595796810k+Text Domain Mismatch
#1023Digital Goods (Checkout Field Editor) for WooCommerce Checkout255391,4793k+Non-prefixed global variable
#1024Bulk Edit Coupons for WooCommerce – WP Sheet Editor251,022982500Text Domain Mismatch
#1025WFatture for WooCommerce Fattureincloud25229774800Non-prefixed global variable
#1026XT Floating Cart for WooCommerce251,2321,9854k+Non-prefixed global variable
#1027PDF Builder for WooCommerce. Create invoices,packing slips and more253725032k+Non-prefixed global variable
#1028Payment Plugins for Stripe WooCommerce25349779100k+Non-prefixed global variable
#1029Pay with Vipps and MobilePay for WooCommerce258465145k+Output is not escaped
#1030Wordfence Login Security2524841860k+Output is not escaped
#1031WordPress Importer252381102m+Output is not escaped
#1032WP 2FA – Two-factor authentication for WordPress25283716100k+Non-prefixed global variable
#1033WP Airbnb Review Slider253256461k+Non-prefixed global variable
#1034Super Page Cache – Cloudflare Cache, Page Speed & Core Web Vitals2514335760k+Input is not sanitized
#1035Comments Extra Fields For Post,Pages and CPT25577418500Text Domain Mismatch
#1036WP Coupons and Deals – WordPress Coupon Plugin259141,4601k+Non-prefixed global variable
#1037WP-DownloadManager256075083k+Unsafe printing function
#1038WP Review Slider251,1862,2796k+Non-prefixed global variable
#1039WP Go Maps – Google Map, OpenStreetMap, Leaflet Map254,9961,008300k+Unsafe printing function
#1040WP Google Review Slider251,3662,58430k+Non-prefixed global variable
#1041WP Encryption – No.1 HTTPS plugin & One Click Free SSL Cert, HTTPS Redirect, SSL Security258751,76450k+Non-prefixed global variable
#1042Nested Pages2567456090k+Non-prefixed global variable
#1043WP Photo Album Plus2541,80910k+Direct Query
#1044WP-Polls2561863940k+Unsafe printing function
#1045WP Popups – WordPress Popup builder2544034230k+Output is not escaped
#1046Perfect Images: Regenerate Thumbnails, Image Sizes, WebP & AVIF2515811860k+Non-prefixed global variable
#1047Bulk Edit Posts and Products in Spreadsheet259349448k+Text Domain Mismatch
#1048SlimStat Analytics251,17787070k+Exception output is not escaped
#1049Smush – Image Optimization, Compression, Lazy Load, WebP & CDN252445681m+Non-prefixed hook name
#1050Wp Social Login and Register Social Counter258073890k+Non-prefixed global variable