WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2201 | Reviews Widgets for Google, TripAdvisor, Yelp & Recommendations | 35 | 255 | 225 | 10k+ | Output is not escaped | ||
| #2202 | Flat Preloader | 35 | 40 | 15 | 3k+ | Output is not escaped | ||
| #2203 | Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager | 35 | 64 | 64 | 80k+ | Non-prefixed global variable | ||
| #2204 | Flexible Subscriptions | 35 | 46 | 249 | 1k+ | Non-prefixed global variable | ||
| #2205 | Flying Analytics: Self-Host Google Analytics v4 with Speed Optimization | 35 | 17 | 13 | 4k+ | Missing direct file access protection | ||
| #2206 | Events Calendar by FooEvents | 35 | 57 | 59 | 4k+ | Non-prefixed global variable | ||
| #2207 | FooGallery Migrate | 35 | 41 | 232 | 1k+ | Non-prefixed global variable | ||
| #2208 | Force Reinstall | 35 | 118 | 34 | 2k+ | Output is not escaped | ||
| #2209 | Friendly Captcha for WordPress | 35 | 192 | 62 | 9k+ | Output is not escaped | ||
| #2210 | Frontend Reset Password | 35 | 83 | 128 | 10k+ | Text Domain Mismatch | ||
| #2211 | Full Width Banner Slider Wp | 35 | 239 | 140 | 2k+ | Output is not escaped | ||
| #2212 | g-FFL Cockpit | 35 | 18 | 224 | 500 | Direct Query | ||
| #2213 | GA4WP – Analytics Dashboard for the Website | 35 | 434 | 157 | 2k+ | Text Domain Mismatch | ||
| #2214 | GeoTargeting Lite – WordPress Geolocation | 35 | 66 | 79 | 1k+ | Output is not escaped | ||
| #2215 | Get a Newsletter | 35 | 138 | 144 | 400 | Output is not escaped | ||
| #2216 | Glossary | 35 | 169 | 93 | 2k+ | Non Singular String Literal Domain | ||
| #2217 | Reviews Block for Google | 35 | 244 | 35 | 1k+ | Missing Arg Domain | ||
| #2218 | Gravitec.net – Web Push Notifications | 35 | 47 | 52 | 1k+ | wp function not compatible with requires wp | ||
| #2219 | Gumlet – Image optimization with Resize, Compression, Lazy load, Caching & CDN delivery | 35 | 53 | 45 | 500 | parse url parse url | ||
| #2220 | Health Check & Troubleshooting | 35 | 264 | 238 | 300k+ | Missing Arg Domain | ||
| #2221 | Heartbeat Control | 35 | 27 | 18 | 80k+ | Missing Arg Domain | ||
| #2222 | Social Comments by Heateor | 35 | 285 | 35 | 700 | Unsafe printing function | ||
| #2223 | Hippoo Mobile App for WooCommerce | 35 | 5 | 92 | 1k+ | Direct Query | ||
| #2224 | HivePress – Business Directory, Listings & Classified Ads Plugin | 35 | 38 | 180 | 10k+ | Direct Query | ||
| #2225 | HTTP Authentication | 35 | 23 | 6 | 600 | Output is not escaped | ||
| #2226 | Iframely – WP media embeds, cards and blocks | 35 | 136 | 43 | 2k+ | Unsafe printing function | ||
| #2227 | Image Slider | 35 | 192 | 95 | 4k+ | Output is not escaped | ||
| #2228 | Image Watermark | 35 | 85 | 181 | 40k+ | Missing nonce verification | ||
| #2229 | Image Widget | 35 | 165 | 31 | 100k+ | Output is not escaped | ||
| #2230 | ImageMagick Engine | 35 | 63 | 29 | 60k+ | Unsafe printing function | ||
| #2231 | InPost PL | 35 | 2 | 938 | 10k+ | Non-prefixed global variable | ||
| #2232 | Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts | 35 | 64 | 91 | 60k+ | Output is not escaped | ||
| #2233 | Inspiro Starter Sites – 20+ Free Demo Templates for Gutenberg & Elementor | 35 | 6 | 200 | 10k+ | Non-prefixed global variable | ||
| #2234 | Social Feed Gallery | 35 | 104 | 52 | 80k+ | Text Domain Mismatch | ||
| #2235 | Instant CSS | 35 | 25 | 25 | 3k+ | Output is not escaped | ||
| #2236 | Instapage Plugin | 35 | 220 | 45 | 4k+ | Output is not escaped | ||
| #2237 | IntenseDebate Comments | 35 | 203 | 114 | 500 | Output is not escaped | ||
| #2238 | IP Based Login | 35 | 179 | 146 | 600 | Output is not escaped | ||
| #2239 | iPages – FlipBook Image & PDF Viewer | 35 | 467 | 177 | 2k+ | Text Domain Mismatch | ||
| #2240 | Issuu PDF Sync | 35 | 159 | 28 | 900 | Text Domain Mismatch | ||
| #2241 | Japanese font for WordPress(Previously: Japanese Font for TinyMCE) | 35 | 11 | 37 | 10k+ | Non-prefixed global variable | ||
| #2242 | JetStyleManager for Gutenberg | 35 | 20 | 64 | 20k+ | Nonce verification recommended | ||
| #2243 | JSON Feed (jsonfeed.org) | 35 | 9 | 29 | 1k+ | Non-prefixed global variable | ||
| #2244 | Nobs • Share Buttons | 35 | 314 | 85 | 3k+ | Output is not escaped | ||
| #2245 | JWT Auth – WordPress JSON Web Token Authentication | 35 | 14 | 18 | 6k+ | Output is not escaped | ||
| #2246 | Kadence for WooCommerce and Elementor | 35 | 39 | 21 | 3k+ | Output is not escaped | ||
| #2247 | Kargo Takip | 35 | 84 | 142 | 3k+ | Missing nonce verification | ||
| #2248 | Kaya QR Code Generator | 35 | 193 | 40 | 20k+ | Non Singular String Literal Domain | ||
| #2249 | KBoard 위젯 – 워드프레스 게시판 | 35 | 53 | 32 | 3k+ | Output is not escaped | ||
| #2250 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped |