WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1101 | Media File Renamer: Rename for better SEO (AI-Powered) | 26 | 154 | 170 | 40k+ | Direct Query | ||
| #1102 | Hotel Booking | 26 | 690 | 940 | 4k+ | Unsafe printing function | ||
| #1103 | Omise Payments | 26 | 358 | 256 | 2k+ | Output is not escaped | ||
| #1104 | Online Contact Widget-多合一在线客服插件 | 26 | 708 | 80 | 800 | Non Singular String Literal Domain | ||
| #1105 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 26 | 272 | 599 | 6k+ | Request data is not unslashed | ||
| #1106 | Open User Map – Interactive Leaflet Maps | 26 | 895 | 988 | 10k+ | Non-prefixed global variable | ||
| #1107 | Organic Builder Widgets – Simple WordPress Page Builder | 26 | 1,034 | 125 | 3k+ | Output is not escaped | ||
| #1108 | Paytium: Mollie payment forms & donations | 26 | 506 | 551 | 3k+ | Unsafe printing function | ||
| #1109 | PDF for WPForms + Drag and Drop Template Builder | 26 | 674 | 113 | 1k+ | wp function not compatible with requires wp | ||
| #1110 | LoginWP (Formerly Peter's Login Redirect) | 26 | 401 | 278 | 90k+ | Output is not escaped | ||
| #1111 | Crowdsignal Dashboard – Polls, Surveys & more | 26 | 481 | 491 | 200k+ | Unsafe printing function | ||
| #1112 | Polylang | 26 | 36 | 564 | 800k+ | Non-prefixed hook name | ||
| #1113 | Portfolio by BestWebSoft – Work and Projects Presentation Plugin for WordPress | 26 | 525 | 240 | 600 | Text Domain Mismatch | ||
| #1114 | Premmerce User Roles | 26 | 597 | 1,357 | 600 | Non-prefixed global variable | ||
| #1115 | Pressidium Cookie Consent | 26 | 203 | 95 | 10k+ | Exception output is not escaped | ||
| #1116 | Profile Extra Fields by BestWebSoft | 26 | 514 | 532 | 2k+ | Text Domain Mismatch | ||
| #1117 | RestaurantPress | 26 | 265 | 518 | 600 | Output is not escaped | ||
| #1118 | Send Users Email – Email Subscribers, Email Marketing Newsletter | 26 | 188 | 415 | 5k+ | Non-prefixed global variable | ||
| #1119 | SEO Booster | 26 | 403 | 1,331 | 1k+ | Non-prefixed global variable | ||
| #1120 | SP Move Login | 26 | 881 | 215 | 6k+ | Text Domain Mismatch | ||
| #1121 | Sliced Invoices – WordPress Invoice Plugin | 26 | 684 | 455 | 5k+ | Output is not escaped | ||
| #1122 | Video Gallery – Vimeo and YouTube Gallery | 26 | 561 | 794 | 6k+ | Non-prefixed global variable | ||
| #1123 | StoreGrowth: Smart Sales Booster for WooCommerce | BOGO, Upsells, Direct Checkout, Quick View, Side Cart | 26 | 125 | 420 | 2k+ | Non-prefixed global variable | ||
| #1124 | Subscriber by BestWebSoft | 26 | 550 | 376 | 900 | Text Domain Mismatch | ||
| #1125 | SV Proven Expert | 26 | 747 | 380 | 900 | Output is not escaped | ||
| #1126 | Theater for WordPress | 26 | 348 | 344 | 600 | Output is not escaped | ||
| #1127 | Ultimate Reviews | 26 | 515 | 345 | 500 | Output is not escaped | ||
| #1128 | UpdraftCentral Dashboard | 26 | 267 | 180 | 5k+ | Missing Translators Comment | ||
| #1129 | URL Image Importer – Import External Images to the Media Library from URL, CSV & XML | 26 | 143 | 239 | 700 | Missing nonce verification | ||
| #1130 | User Avatar | 26 | 104 | 173 | 4k+ | Non-prefixed constant | ||
| #1131 | User Submitted Posts – Enable Users to Submit Posts from the Front End | 26 | 699 | 396 | 10k+ | Text Domain Mismatch | ||
| #1132 | VikWidgetsLoader – Collection of Widgets | 26 | 1,182 | 538 | 1k+ | Output is not escaped | ||
| #1133 | Virtue/Ascend/Pinnacle Toolkit | 26 | 605 | 300 | 30k+ | Output is not escaped | ||
| #1134 | Visitors Online by BestWebSoft | 26 | 512 | 269 | 1k+ | Text Domain Mismatch | ||
| #1135 | Parcel Pro | 26 | 171 | 220 | 600 | Output is not escaped | ||
| #1136 | Premmerce SEO for WooCommerce | 26 | 550 | 1,285 | 1k+ | Non-prefixed global variable | ||
| #1137 | Set Price Note (Units, Offers, Editions) for WooCommerce | 26 | 596 | 1,307 | 800 | Non-prefixed global variable | ||
| #1138 | XL NMI Gateway for WooCommerce | 26 | 695 | 436 | 1k+ | Text Domain Mismatch | ||
| #1139 | Faktur Pro for WooCommerce | 26 | 416 | 218 | 1k+ | Text Domain Mismatch | ||
| #1140 | WP Flashy Marketing Automation | 26 | 432 | 186 | 2k+ | Text Domain Mismatch | ||
| #1141 | HireZoot – Job Listings, Career Page & Recruitment Tool | 26 | 80 | 620 | 30k+ | Non-prefixed global variable | ||
| #1142 | WPCOM Member | 26 | 432 | 638 | 1k+ | Non Singular String Literal Domain | ||
| #1143 | Accordions – Responsive Accordion & FAQ Plugin for WordPress | 27 | 554 | 158 | 1k+ | Text Domain Mismatch | ||
| #1144 | Addon Elements for Elementor (formerly Elementor Addon Elements) | 27 | 4,065 | 103 | 90k+ | Text Domain Mismatch | ||
| #1145 | Divi Torque Lite – Divi Modules for the Divi Builder & Theme | 27 | 146 | 274 | 50k+ | Non-prefixed global variable | ||
| #1146 | Amazon Product in a Post Plugin | 27 | 362 | 416 | 800 | Output is not escaped | ||
| #1147 | Apollo13 Framework Extensions | 27 | 171 | 273 | 20k+ | Non-prefixed global variable | ||
| #1148 | Arconix FAQ | 27 | 552 | 201 | 6k+ | Text Domain Mismatch | ||
| #1149 | Lean Player – Video and Audio Player with Playlist for WordPress, Elementor and Gutenberg | 27 | 1,615 | 466 | 2k+ | Text Domain Mismatch | ||
| #1150 | BackUpWordPress | 27 | 245 | 271 | 90k+ | Non-prefixed global variable |