WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2401 | Sola Payment Gateway for WooCommerce | 35 | 107 | 116 | 700 | Missing Translators Comment | ||
| #2402 | WP Courseware for WooCommerce | 35 | 55 | 49 | 1k+ | Text Domain Mismatch | ||
| #2403 | Custom Payment Gateways for WooCommerce | 35 | 202 | 31 | 3k+ | Non Singular String Literal Domain | ||
| #2404 | Backend Payments for WooCommerce | 35 | 63 | 42 | 900 | Exception output is not escaped | ||
| #2405 | Save and Share Cart for WooCommerce | 35 | 125 | 51 | 600 | Text Domain Mismatch | ||
| #2406 | DPD Baltic Shipping | 35 | 91 | 202 | 2k+ | Text Domain Mismatch | ||
| #2407 | Conversion Tracking for WooCommerce | 35 | 74 | 61 | 20k+ | Output is not escaped | ||
| #2408 | WooCommerce Gateway Affirm | 35 | 2 | 58 | 6k+ | Nonce verification recommended | ||
| #2409 | Custom Payment Gateway for WooCommerce | 35 | 11 | 12 | 8k+ | Missing nonce verification | ||
| #2410 | Payment Gateway for PayPal Pro & PayPal Checkout for WooCommerce | 35 | 67 | 147 | 1k+ | Request data is not unslashed | ||
| #2411 | Product Tabs for WooCommerce | 35 | 196 | 100 | 10k+ | Text Domain Mismatch | ||
| #2412 | Brevo for WooCommerce | 35 | 116 | 67 | 30k+ | Output is not escaped | ||
| #2413 | Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices | 35 | 22 | 52 | 20k+ | Direct Query | ||
| #2414 | Kybernaut IČO DIČ | 35 | 79 | 68 | 2k+ | Missing nonce verification | ||
| #2415 | Wooplatnica | 35 | 27 | 24 | 400 | Non-prefixed class | ||
| #2416 | BulkGate SMS Plugin for WooCommerce | 35 | 33 | 32 | 1k+ | Output is not escaped | ||
| #2417 | Easy Accept Payments via PayPal | 35 | 322 | 128 | 7k+ | Text Domain Mismatch | ||
| #2418 | WP Associate Post R2 | 35 | 259 | 86 | 3k+ | Output is not escaped | ||
| #2419 | WP Cassify | 35 | 106 | 143 | 700 | Missing nonce verification | ||
| #2420 | WP Compiler | 35 | 33 | 20 | 1k+ | Output is not escaped | ||
| #2421 | WP-Cron Status Checker | 35 | 240 | 111 | 5k+ | Text Domain Mismatch | ||
| #2422 | Custom Body Class | 35 | 39 | 101 | 10k+ | Non-prefixed global variable | ||
| #2423 | WP Datepicker | 35 | 225 | 181 | 7k+ | Output is not escaped | ||
| #2424 | Database Backup for WordPress | 35 | 128 | 88 | 70k+ | Output is not escaped | ||
| #2425 | WP Duplicate Page | 35 | 44 | 50 | 60k+ | Text Domain Mismatch | ||
| #2426 | WP Geo | 35 | 180 | 84 | 900 | Output is not escaped | ||
| #2427 | Auto Publish for Google My Business | 35 | 216 | 192 | 10k+ | Input is not validated | ||
| #2428 | WP GPX Maps | 35 | 27 | 100 | 4k+ | Non-prefixed global variable | ||
| #2429 | WP Hydra | 35 | 10 | 18 | 1k+ | Input is not sanitized | ||
| #2430 | Mail logging – WP Mail Catcher | 35 | 232 | 157 | 20k+ | Text Domain Mismatch | ||
| #2431 | WP Mailto Links – Protect Email Addresses | 35 | 95 | 69 | 8k+ | Output is not escaped | ||
| #2432 | WP-Markdown | 35 | 31 | 39 | 400 | Output is not escaped | ||
| #2433 | WP Instant Feeds | 35 | 19 | 12 | 6k+ | Output is not escaped | ||
| #2434 | WP Open Street Map | 35 | 59 | 111 | 3k+ | Input is not validated | ||
| #2435 | WP-PageNavi | 35 | 84 | 95 | 500k+ | Non Singular String Literal Domain | ||
| #2436 | WP-Paginate | 35 | 37 | 55 | 20k+ | Input is not validated | ||
| #2437 | WP-Persian | 35 | 144 | 37 | 7k+ | Unsafe printing function | ||
| #2438 | WP PGP Encrypted Emails | 35 | 63 | 39 | 400 | Output is not escaped | ||
| #2439 | WP-PostViews | 35 | 132 | 64 | 100k+ | Unsafe printing function | ||
| #2440 | WP-Print | 35 | 110 | 52 | 8k+ | Unsafe printing function | ||
| #2441 | WP All Import – Property Import for WP Residence | 35 | 41 | 32 | 700 | Output is not escaped | ||
| #2442 | video carousel slider with lightbox | 35 | 350 | 136 | 1k+ | Output is not escaped | ||
| #2443 | WP Site Verification tool | 35 | 34 | 37 | 1k+ | Non-prefixed global variable | ||
| #2444 | WP Spam Question Filter | 35 | 63 | 30 | 2k+ | Output is not escaped | ||
| #2445 | Subresource Integrity (SRI) Manager | 35 | 26 | 94 | 900 | Request data is not unslashed | ||
| #2446 | WP System Information | 35 | 237 | 30 | 700 | Text Domain Mismatch | ||
| #2447 | WP-ViperGB | 35 | 127 | 68 | 400 | Output is not escaped | ||
| #2448 | Integration for WooCommerce and QuickBooks | 35 | 263 | 125 | 1k+ | Output is not escaped | ||
| #2449 | WP-Yomigana | 35 | 17 | 15 | 2k+ | Output is not escaped | ||
| #2450 | WPC Badge Management for WooCommerce | 35 | 13 | 81 | 2k+ | Missing nonce verification |