WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2151Conditional Widgets3567337k+Output is not escaped
#2152Constant Contact Forms35418920k+Missing nonce verification
#2153EasyTest – Simplify A/B Testing3597610k+Non-prefixed global variable
#2154Cookie Information – Cookie Banner with Consent Mode v235185282k+Output is not escaped
#2155Cookies and Content Security Policy3526141210k+Output is not escaped
#2156Core Framework35706210k+Text Domain Mismatch
#2157Cost of Goods: Product Cost & Profit Calculator for WooCommerce3521299k+Missing Translators Comment
#2158Coupon X – Discount Popups, Promo Codes Pop Ups for WooCommerce & Announcement Popups35301681k+Non-prefixed global variable
#2159CrowdSec351301192k+Output is not escaped
#2160CubeWP Framework35114714k+wp function not compatible with requires wp
#2161Cue by AudioTheme.com35281506k+Non-prefixed hook name
#2162Currency Switcher for WooCommerce3516661800Text Domain Mismatch
#2163Custom CSS and JavaScript35389110k+Input is not sanitized
#2164Custom JavaScript Editor35823400Missing Version
#2165Custom Post Type Maker35240866k+Unsafe printing function
#2166Customizer Backup & Reset358107k+Output is not escaped
#2167Dadevarzan WordPress Common355671700Text Domain Mismatch
#2168Datafeedr Product Sets356022065k+Output is not escaped
#2169Deposits & Partial Payments for WooCommerce351741445k+Text Domain Mismatch
#2170Desktop Mode35185962k+Direct Query
#2171PiWeb Disable payment method / Partial payment for WooCommerce35552214k+Non-prefixed class
#2172Disable and Remove Google Fonts | GDPR & DSGVO friendly352111100k+Missing Translators Comment
#2173Disable XML-RPC-API3544452100k+Text Domain Mismatch
#2174Disk Usage Sunburst3530349k+Output is not escaped
#2175Potent Donations for WooCommerce3514252k+Missing nonce verification
#2176DOOFINDER Search and Discovery for WP & WooCommerce351511202k+Text Domain Mismatch
#2177Duplica – Duplicate Posts, Pages, Custom Posts or Users3514312k+Non-prefixed global variable
#2178DynamicTags35116162k+Text Domain Mismatch
#2179Easy Dash for LearnDash3562388700Text Domain Mismatch
#2180Easy Noindex And Nofollow355518400Output is not escaped
#2181Easy Panorama3512010500Non Singular String Literal Domain
#2182Easy Post Types and Fields351381351k+Text Domain Mismatch
#2183Product Bundle Builder for WooCommerce351521386k+Text Domain Mismatch
#2184Easy Social Icons3518215820k+Output is not escaped
#2185Easy SwipeBox35157102k+Non Singular String Literal Domain
#2186Editorial Calendar3512716020k+Output is not escaped
#2187Email Subscription Popup — Newsletter & GDPR Consent356831931k+Output is not escaped
#2188Email Validator for Contact Form 73511174500SQL query is not prepared
#2189Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more3510292400Non-prefixed global variable
#2190WP Rocket | Simple LoadCSS Preloader357164k+Non-prefixed global variable
#2191Enhanced Recent Posts357824400Output is not escaped
#2192EnvíaloSimple: Email Marketing y Newsletters351472502k+Nonce verification recommended
#2193Equivalent Mobile Redirect3529172k+Text Domain Mismatch
#2194Connect WooCommerce to ActiveCampaign by EqualServing35135891k+Text Domain Mismatch
#2195EWWW Image Optimizer352257311m+Direct Query
#2196AI Popup Builder & Popup Maker by OptiMonk3581654k+Text Domain Mismatch
#2197Export Featured Images35176671k+Output is not escaped
#2198External Links Overview3557200800Non-prefixed global variable
#2199WP2Social Auto Publish356432159k+Unsafe printing function
#2200Pixel Cat – Conversion Pixel Manager3525321540k+Output is not escaped