WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2251 | Kiyoh customer review | 35 | 173 | 68 | 500 | Output is not escaped | ||
| #2252 | Lead Call Buttons | 35 | 113 | 81 | 5k+ | Output is not escaped | ||
| #2253 | Lead Form Builder & Contact Form | 35 | 400 | 345 | 9k+ | Output is not escaped | ||
| #2254 | Lead Generation Form | 35 | 21 | 63 | 600 | Non-prefixed global variable | ||
| #2255 | Less PHP Compiler | 35 | 163 | 47 | 3k+ | Exception output is not escaped | ||
| #2256 | Listamester | 35 | 17 | 16 | 600 | Output is not escaped | ||
| #2257 | Log HTTP Requests | 35 | 7 | 18 | 2k+ | Interpolated SQL is not prepared | ||
| #2258 | Login-Logout | 35 | 104 | 8 | 3k+ | Output is not escaped | ||
| #2259 | Login Page Styler – Custom WordPress Login Page Customizer & Security | 35 | 125 | 168 | 2k+ | Missing Arg Domain | ||
| #2260 | Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | 35 | 266 | 127 | 5k+ | Output is not escaped | ||
| #2261 | MainWP Child Reports | 35 | 49 | 116 | 100k+ | Non-prefixed hook name | ||
| #2262 | Map Block for Google Maps | 35 | 6 | 5 | 20k+ | Hidden files included | ||
| #2263 | Mark Posts | 35 | 30 | 34 | 1k+ | Output is not escaped | ||
| #2264 | Marquee image crawler | 35 | 168 | 136 | 700 | Non-prefixed global variable | ||
| #2265 | Mechanic Visitor Counter | 35 | 240 | 66 | 7k+ | Output is not escaped | ||
| #2266 | Media Library Downloader | 35 | 21 | 16 | 4k+ | Output is not escaped | ||
| #2267 | MeetingHub – Webinar & Meeting Plugin for Zoom, Google Meet, Webex, Microsoft Teams, & Jitsi Meet | 35 | 37 | 313 | 400 | Non-prefixed global variable | ||
| #2268 | Restaurant Menu – Food Ordering System – Table Reservation | 35 | 317 | 186 | 8k+ | Unsafe printing function | ||
| #2269 | Mini Ajax Cart for WooCommerce | 35 | 297 | 240 | 900 | Text Domain Mismatch | ||
| #2270 | mosparo Integration | 35 | 114 | 301 | 900 | Missing nonce verification | ||
| #2271 | AI Product Search for WooCommerce – Motive Commerce Search | 35 | 70 | 82 | 400 | Missing direct file access protection | ||
| #2272 | Movylo Marketing Automation | 35 | 38 | 88 | 700 | error log print r | ||
| #2273 | Hide from Search | 35 | 5 | 8 | 3k+ | Missing direct file access protection | ||
| #2274 | My Eyes Are Up Here | 35 | 7 | 12 | 2k+ | Missing nonce verification | ||
| #2275 | Never Let Me Go | 35 | 34 | 47 | 400 | Non-prefixed global variable | ||
| #2276 | NGG Smart Image Search | 35 | 298 | 155 | 400 | Output is not escaped | ||
| #2277 | Nginx Cache Controller | 35 | 79 | 96 | 1k+ | Text Domain Mismatch | ||
| #2278 | Ni WooCommerce Sales Report | 35 | 236 | 256 | 500 | Text Domain Mismatch | ||
| #2279 | Nooz | 35 | 287 | 108 | 500 | Text Domain Mismatch | ||
| #2280 | Meta pixel for WordPress | 35 | 90 | 40 | 400k+ | Exception output is not escaped | ||
| #2281 | One Page Express Companion | 35 | 132 | 65 | 10k+ | Output is not escaped | ||
| #2282 | ONet Regenerate Thumbnails | 35 | 190 | 64 | 1k+ | Text Domain Mismatch | ||
| #2283 | Plugin Ongkos Kirim JNE Tiki Sicepat Wahana J&T POS for Woocommerce | 35 | 117 | 144 | 2k+ | Output is not escaped | ||
| #2284 | OPcache Manager | 35 | 155 | 75 | 1k+ | Output is not escaped | ||
| #2285 | Order Delivery Date for WooCommerce | 35 | 2,075 | 73 | 10k+ | wp function not compatible with requires wp | ||
| #2286 | Orderable – Restaurant & Food Ordering System | 35 | 12 | 324 | 5k+ | Non-prefixed global variable | ||
| #2287 | OSM Map Widget for Elementor | 35 | 183 | 14 | 9k+ | Text Domain Mismatch | ||
| #2288 | OT Flatsome Vertical Menu | 35 | 126 | 26 | 10k+ | Text Domain Mismatch | ||
| #2289 | Page Optimize | 35 | 70 | 41 | 200k+ | Non Singular String Literal Domain | ||
| #2290 | Page Visits Counter – Lite | 35 | 28 | 35 | 5k+ | Output is not escaped | ||
| #2291 | Paybox WooCommerce Payment Gateway | 35 | 165 | 88 | 500 | Non Singular String Literal Domain | ||
| #2292 | Paytm Payment Gateway | 35 | 92 | 104 | 3k+ | Missing Arg Domain | ||
| #2293 | Perfecty Push Notifications | 35 | 204 | 213 | 4k+ | SQL query is not prepared | ||
| #2294 | Planyo online reservation system | 35 | 64 | 90 | 400 | Output is not escaped | ||
| #2295 | Plausible Analytics | 35 | 244 | 61 | 10k+ | Exception output is not escaped | ||
| #2296 | Accept Cryptocurrencies with Plisio | 35 | 37 | 47 | 1k+ | Text Domain Mismatch | ||
| #2297 | Pochipp | 35 | 27 | 102 | 20k+ | Non-prefixed global variable | ||
| #2298 | Poptin – Email Marketing Automation, Newsletter & Exit Pop Ups, Email Popups | 35 | 168 | 29 | 20k+ | Output is not escaped | ||
| #2299 | Popular Posts | 35 | 166 | 71 | 900 | Unsafe printing function | ||
| #2300 | Popup with fancybox | 35 | 196 | 168 | 900 | Unsafe printing function |