WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2301 | Post Content Shortcodes | 35 | 205 | 56 | 2k+ | Output is not escaped | ||
| #2302 | Post Draft Preview | 35 | 49 | 69 | 700 | Text Domain Mismatch | ||
| #2303 | Post List Featured Image | 35 | 112 | 100 | 900 | Output is not escaped | ||
| #2304 | Post Meta Data Manager | 35 | 30 | 112 | 1k+ | Non-prefixed global variable | ||
| #2305 | Post Password Token | 35 | 132 | 38 | 600 | Text Domain Mismatch | ||
| #2306 | Posts Table with Search & Sort | 35 | 143 | 33 | 3k+ | Text Domain Mismatch | ||
| #2307 | PrettyLinks – Affiliate Link Management, URL Shortener, Link Cloaking, Tracking & Branded Short Links | 35 | 1 | 5 | 200k+ | Database parameter is not escaped | ||
| #2308 | Product Input Fields for WooCommerce | 35 | 18 | 84 | 4k+ | Non-prefixed function | ||
| #2309 | Min Max Step Quantity Limits Manager for WooCommerce | 35 | 67 | 158 | 3k+ | Non-prefixed global variable | ||
| #2310 | Protect the Children! | 35 | 2 | 34 | 1k+ | Missing nonce verification | ||
| #2311 | Publitio | 35 | 47 | 26 | 400 | curl curl setopt | ||
| #2312 | Push Notifications by LaraPush | 35 | 32 | 76 | 5k+ | Non-prefixed global variable | ||
| #2313 | Push7 | 35 | 45 | 17 | 700 | Short PHP open tag found | ||
| #2314 | QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly | 35 | 225 | 110 | 8k+ | Non Singular String Literal Domain | ||
| #2315 | Quran multilanguage Text & Audio | 35 | 177 | 166 | 500 | Output is not escaped | ||
| #2316 | ReactPress – Create React App for WordPress | 35 | 26 | 43 | 3k+ | Request data is not unslashed | ||
| #2317 | Real Time Validation for Gravity Forms | 35 | 185 | 30 | 2k+ | Output is not escaped | ||
| #2318 | Really Simple Google Tag Manager (GTM) | 35 | 115 | 15 | 4k+ | Text Domain Mismatch | ||
| #2319 | Related Posts by Taxonomy | 35 | 131 | 97 | 10k+ | Output is not escaped | ||
| #2320 | Related Posts for WordPress | 35 | 207 | 180 | 10k+ | Output is not escaped | ||
| #2321 | Remove Dashboard Access | 35 | 16 | 23 | 30k+ | wp function not compatible with requires wp | ||
| #2322 | ReOrder Posts within Categories | 35 | 39 | 207 | 7k+ | Non-prefixed global variable | ||
| #2323 | WP Responsive Tabs horizontal vertical and accordion Tabs | 35 | 598 | 212 | 2k+ | Output is not escaped | ||
| #2324 | Reveal IDs | 35 | 23 | 13 | 40k+ | Output is not escaped | ||
| #2325 | Robots.txt rewrite | 35 | 56 | 19 | 1k+ | Output is not escaped | ||
| #2326 | sCode (Easy Shortcodes) | 35 | 157 | 97 | 400 | Text Domain Mismatch | ||
| #2327 | Scroll Styler | 35 | 52 | 21 | 900 | Output is not escaped | ||
| #2328 | Internal Links Manager | 35 | 188 | 121 | 10k+ | Output is not escaped | ||
| #2329 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 86 | 1m+ | Input is not sanitized | ||
| #2330 | Shipping Zones by Drawing for WooCommerce | 35 | 278 | 95 | 600 | Text Domain Mismatch | ||
| #2331 | Shopkeeper Extender | 35 | 14 | 26 | 5k+ | Missing Version | ||
| #2332 | Product Feed for Google Shopping, Microsoft Advertising and 40+ Channels for WooCommerce Merchant | 35 | 83 | 76 | 2k+ | Output is not escaped | ||
| #2333 | SHOPVOTE | 35 | 64 | 58 | 400 | curl curl setopt | ||
| #2334 | Shortcake (Shortcode UI) | 35 | 9 | 39 | 10k+ | Request data is not unslashed | ||
| #2335 | Simple CAPTCHA with Cloudflare Turnstile | 35 | 82 | 148 | 100k+ | Output is not escaped | ||
| #2336 | Simple Export Import for ACF Data | 35 | 19 | 64 | 1k+ | Request data is not unslashed | ||
| #2337 | Simple Image Sizes | 35 | 53 | 75 | 60k+ | Unsafe printing function | ||
| #2338 | Simple Yearly Archive | 35 | 102 | 36 | 6k+ | Unsafe printing function | ||
| #2339 | Simple Analytics | 35 | 25 | 20 | 1k+ | Output is not escaped | ||
| #2340 | SiteGround Migrator | 35 | 113 | 74 | 80k+ | Missing Arg Domain | ||
| #2341 | Slick Slider | 35 | 36 | 9 | 2k+ | Output is not escaped | ||
| #2342 | SiteOrigin CSS | 35 | 61 | 84 | 100k+ | Not In Footer | ||
| #2343 | WPZOOM Connect: Social Icons Widget, Share Buttons & Click to Chat | 35 | 28 | 31 | 90k+ | Input is not sanitized | ||
| #2344 | Quiz Maker, Poll Maker & Survey Maker by Opinion Stage | 35 | 42 | 32 | 6k+ | Output is not escaped | ||
| #2345 | Spacious Toolkit | 35 | 48 | 94 | 700 | Non-prefixed global variable | ||
| #2346 | Speedy Page Redirect | 35 | 6 | 10 | 1k+ | Output is not escaped | ||
| #2347 | Spots | 35 | 195 | 49 | 800 | Output is not escaped | ||
| #2348 | Spreadshop Plugin | 35 | 145 | 44 | 4k+ | wp function not compatible with requires wp | ||
| #2349 | Square Thumbnails | 35 | 43 | 317 | 800 | error log error log | ||
| #2350 | SSL Insecure Content Fixer | 35 | 28 | 60 | 100k+ | Input is not sanitized |