WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2151 | Conditional Widgets | 35 | 67 | 33 | 7k+ | Output is not escaped | ||
| #2152 | Constant Contact Forms | 35 | 41 | 89 | 20k+ | Missing nonce verification | ||
| #2153 | EasyTest – Simplify A/B Testing | 35 | 9 | 76 | 10k+ | Non-prefixed global variable | ||
| #2154 | Cookie Information – Cookie Banner with Consent Mode v2 | 35 | 185 | 28 | 2k+ | Output is not escaped | ||
| #2155 | Cookies and Content Security Policy | 35 | 261 | 412 | 10k+ | Output is not escaped | ||
| #2156 | Core Framework | 35 | 70 | 62 | 10k+ | Text Domain Mismatch | ||
| #2157 | Cost of Goods: Product Cost & Profit Calculator for WooCommerce | 35 | 21 | 29 | 9k+ | Missing Translators Comment | ||
| #2158 | Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups | 35 | 30 | 168 | 1k+ | Non-prefixed global variable | ||
| #2159 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped | ||
| #2160 | CubeWP Framework | 35 | 114 | 71 | 4k+ | wp function not compatible with requires wp | ||
| #2161 | Cue by AudioTheme.com | 35 | 28 | 150 | 6k+ | Non-prefixed hook name | ||
| #2162 | Currency Switcher for WooCommerce | 35 | 166 | 61 | 800 | Text Domain Mismatch | ||
| #2163 | Custom CSS and JavaScript | 35 | 38 | 91 | 10k+ | Input is not sanitized | ||
| #2164 | Custom JavaScript Editor | 35 | 8 | 23 | 400 | Missing Version | ||
| #2165 | Custom Post Type Maker | 35 | 240 | 86 | 6k+ | Unsafe printing function | ||
| #2166 | Customizer Backup & Reset | 35 | 8 | 10 | 7k+ | Output is not escaped | ||
| #2167 | Dadevarzan WordPress Common | 35 | 56 | 71 | 700 | Text Domain Mismatch | ||
| #2168 | Datafeedr Product Sets | 35 | 602 | 206 | 5k+ | Output is not escaped | ||
| #2169 | Deposits & Partial Payments for WooCommerce | 35 | 174 | 144 | 5k+ | Text Domain Mismatch | ||
| #2170 | Desktop Mode | 35 | 18 | 596 | 2k+ | Direct Query | ||
| #2171 | PiWeb Disable payment method / Partial payment for WooCommerce | 35 | 55 | 221 | 4k+ | Non-prefixed class | ||
| #2172 | Disable and Remove Google Fonts | GDPR & DSGVO friendly | 35 | 21 | 11 | 100k+ | Missing Translators Comment | ||
| #2173 | Disable XML-RPC-API | 35 | 444 | 52 | 100k+ | Text Domain Mismatch | ||
| #2174 | Disk Usage Sunburst | 35 | 30 | 34 | 9k+ | Output is not escaped | ||
| #2175 | Potent Donations for WooCommerce | 35 | 14 | 25 | 2k+ | Missing nonce verification | ||
| #2176 | DOOFINDER Search and Discovery for WP & WooCommerce | 35 | 151 | 120 | 2k+ | Text Domain Mismatch | ||
| #2177 | Duplica – Duplicate Posts, Pages, Custom Posts or Users | 35 | 14 | 31 | 2k+ | Non-prefixed global variable | ||
| #2178 | DynamicTags | 35 | 116 | 16 | 2k+ | Text Domain Mismatch | ||
| #2179 | Easy Dash for LearnDash | 35 | 623 | 88 | 700 | Text Domain Mismatch | ||
| #2180 | Easy Noindex And Nofollow | 35 | 55 | 18 | 400 | Output is not escaped | ||
| #2181 | Easy Panorama | 35 | 120 | 10 | 500 | Non Singular String Literal Domain | ||
| #2182 | Easy Post Types and Fields | 35 | 138 | 135 | 1k+ | Text Domain Mismatch | ||
| #2183 | Product Bundle Builder for WooCommerce | 35 | 152 | 138 | 6k+ | Text Domain Mismatch | ||
| #2184 | Easy Social Icons | 35 | 182 | 158 | 20k+ | Output is not escaped | ||
| #2185 | Easy SwipeBox | 35 | 157 | 10 | 2k+ | Non Singular String Literal Domain | ||
| #2186 | Editorial Calendar | 35 | 127 | 160 | 20k+ | Output is not escaped | ||
| #2187 | Email Subscription Popup — Newsletter & GDPR Consent | 35 | 683 | 193 | 1k+ | Output is not escaped | ||
| #2188 | Email Validator for Contact Form 7 | 35 | 111 | 74 | 500 | SQL query is not prepared | ||
| #2189 | Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more | 35 | 102 | 92 | 400 | Non-prefixed global variable | ||
| #2190 | WP Rocket | Simple LoadCSS Preloader | 35 | 7 | 16 | 4k+ | Non-prefixed global variable | ||
| #2191 | Enhanced Recent Posts | 35 | 78 | 24 | 400 | Output is not escaped | ||
| #2192 | EnvíaloSimple: Email Marketing y Newsletters | 35 | 147 | 250 | 2k+ | Nonce verification recommended | ||
| #2193 | Equivalent Mobile Redirect | 35 | 29 | 17 | 2k+ | Text Domain Mismatch | ||
| #2194 | Connect WooCommerce to ActiveCampaign by EqualServing | 35 | 135 | 89 | 1k+ | Text Domain Mismatch | ||
| #2195 | EWWW Image Optimizer | 35 | 225 | 731 | 1m+ | Direct Query | ||
| #2196 | AI Popup Builder & Popup Maker by OptiMonk | 35 | 81 | 65 | 4k+ | Text Domain Mismatch | ||
| #2197 | Export Featured Images | 35 | 176 | 67 | 1k+ | Output is not escaped | ||
| #2198 | External Links Overview | 35 | 57 | 200 | 800 | Non-prefixed global variable | ||
| #2199 | WP2Social Auto Publish | 35 | 643 | 215 | 9k+ | Unsafe printing function | ||
| #2200 | Pixel Cat – Conversion Pixel Manager | 35 | 253 | 215 | 40k+ | Output is not escaped |