WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2401Sola Payment Gateway for WooCommerce35107116700Missing Translators Comment
#2402WP Courseware for WooCommerce3555491k+Text Domain Mismatch
#2403Custom Payment Gateways for WooCommerce35202313k+Non Singular String Literal Domain
#2404Backend Payments for WooCommerce356342900Exception output is not escaped
#2405Save and Share Cart for WooCommerce3512551600Text Domain Mismatch
#2406DPD Baltic Shipping35912022k+Text Domain Mismatch
#2407Conversion Tracking for WooCommerce35746120k+Output is not escaped
#2408WooCommerce Gateway Affirm352586k+Nonce verification recommended
#2409Custom Payment Gateway for WooCommerce3511128k+Missing nonce verification
#2410Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce35671471k+Request data is not unslashed
#2411Product Tabs for WooCommerce3519610010k+Text Domain Mismatch
#2412Brevo for WooCommerce351166730k+Output is not escaped
#2413Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices35225220k+Direct Query
#2414Kybernaut IČO DIČ3579682k+Missing nonce verification
#2415Wooplatnica352724400Non-prefixed class
#2416BulkGate SMS Plugin for WooCommerce3533321k+Output is not escaped
#2417Easy Accept Payments via PayPal353221287k+Text Domain Mismatch
#2418WP Associate Post R235259863k+Output is not escaped
#2419WP Cassify35106143700Missing nonce verification
#2420WP Compiler3533201k+Output is not escaped
#2421WP-Cron Status Checker352401115k+Text Domain Mismatch
#2422Custom Body Class353910110k+Non-prefixed global variable
#2423WP Datepicker352251817k+Output is not escaped
#2424Database Backup for WordPress351288870k+Output is not escaped
#2425WP Duplicate Page35445060k+Text Domain Mismatch
#2426WP Geo3518084900Output is not escaped
#2427Auto Publish for Google My Business3521619210k+Input is not validated
#2428WP GPX Maps35271004k+Non-prefixed global variable
#2429WP Hydra3510181k+Input is not sanitized
#2430Mail logging – WP Mail Catcher3523215720k+Text Domain Mismatch
#2431WP Mailto Links – Protect Email Addresses3595698k+Output is not escaped
#2432WP-Markdown353139400Output is not escaped
#2433WP Instant Feeds3519126k+Output is not escaped
#2434WP Open Street Map35591113k+Input is not validated
#2435WP-PageNavi358495500k+Non Singular String Literal Domain
#2436WP-Paginate35375520k+Input is not validated
#2437WP-Persian35144377k+Unsafe printing function
#2438WP PGP Encrypted Emails356339400Output is not escaped
#2439WP-PostViews3513264100k+Unsafe printing function
#2440WP-Print35110528k+Unsafe printing function
#2441WP All Import – Property Import for WP Residence354132700Output is not escaped
#2442video carousel slider with lightbox353501361k+Output is not escaped
#2443WP Site Verification tool3534371k+Non-prefixed global variable
#2444WP Spam Question Filter3563302k+Output is not escaped
#2445Subresource Integrity (SRI) Manager352694900Request data is not unslashed
#2446WP System Information3523730700Text Domain Mismatch
#2447WP-ViperGB3512768400Output is not escaped
#2448Integration for WooCommerce and QuickBooks352631251k+Output is not escaped
#2449WP-Yomigana3517152k+Output is not escaped
#2450WPC Badge Management for WooCommerce3513812k+Missing nonce verification