WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2451 | WPCore Plugin Manager | 35 | 118 | 38 | 9k+ | Text Domain Mismatch | ||
| #2452 | WPD Beaver Builder Additions | 35 | 406 | 35 | 600 | Non Singular String Literal Domain | ||
| #2453 | WP Views Counter | 35 | 81 | 42 | 2k+ | Output is not escaped | ||
| #2454 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #2455 | WPGraphQL IDE | 35 | 38 | 18 | 1k+ | Text Domain Mismatch | ||
| #2456 | wpLingua – Automatic translation – Translate and make website multilingual | 35 | 79 | 167 | 2k+ | Nonce verification recommended | ||
| #2457 | WPPerformanceTester | 35 | 94 | 44 | 1k+ | Output is not escaped | ||
| #2458 | WPZOOM Addons for Elementor – Starter Templates & Widgets | 35 | 160 | 130 | 20k+ | Output is not escaped | ||
| #2459 | WPZOOM Forms – Drag & Drop Contact Form Builder for WordPress | 35 | 74 | 109 | 10k+ | Nonce verification recommended | ||
| #2460 | WPZOOM Portfolio Lite – Filterable Portfolio Plugin | 35 | 42 | 92 | 20k+ | Non-prefixed global variable | ||
| #2461 | Writesonic | 35 | 14 | 16 | 1k+ | Non-prefixed global variable | ||
| #2462 | WSB HUB3 | 35 | 36 | 109 | 1k+ | Missing nonce verification | ||
| #2463 | xili-tidy-tags | 35 | 224 | 157 | 1k+ | Output is not escaped | ||
| #2464 | XServer Migrator | 35 | 39 | 53 | 10k+ | Interpolated SQL is not prepared | ||
| #2465 | TypeSquare Webfonts for エックスサーバー | 35 | 183 | 98 | 100k+ | Missing Arg Domain | ||
| #2466 | Yabe Webfont – Use Custom Fonts, Google Fonts or Adobe Fonts | 35 | 48 | 114 | 5k+ | Non-prefixed hook name | ||
| #2467 | Yes/No Chart | 35 | 136 | 139 | 2k+ | Unsafe printing function | ||
| #2468 | YML for Yandex Market | 35 | 18 | 288 | 10k+ | Non-prefixed global variable | ||
| #2469 | Year Make Model Search for WooCommerce | 35 | 188 | 162 | 1k+ | Output is not escaped | ||
| #2470 | Yoco Payments | 35 | 2 | 32 | 10k+ | Nonce verification recommended | ||
| #2471 | Yotpo: Product & Photo Reviews for WooCommerce | 35 | 24 | 189 | 2k+ | Non-prefixed function | ||
| #2472 | Embeds for YouTube | 35 | 255 | 307 | 10k+ | Non-prefixed global variable | ||
| #2473 | Ziina | 35 | 4 | 25 | 2k+ | Input is not sanitized | ||
| #2474 | 2C2P Redirect API for WooCommerce | 36 | 136 | 62 | 900 | wp function not compatible with requires wp | ||
| #2475 | 3B Meteo | 36 | 50 | 76 | 1k+ | Output is not escaped | ||
| #2476 | Advanced Export for WP & WPMU | 36 | 124 | 55 | 700 | Output is not escaped | ||
| #2477 | Age Verification for your checkout page. Verify your customer's identity | 36 | 155 | 238 | 500 | Output is not escaped | ||
| #2478 | Asesor de Cookies RGPD para normativa europea | 36 | 94 | 91 | 20k+ | wp function not compatible with requires wp | ||
| #2479 | Awesome GDPR Compliant Cookie Consent and Notice | 36 | 653 | 201 | 500 | Text Domain Mismatch | ||
| #2480 | Bard Extra | 36 | 158 | 76 | 700 | Text Domain Mismatch | ||
| #2481 | Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder | 36 | 3 | 322 | 10k+ | Nonce verification recommended | ||
| #2482 | Blaze Demo Importer | 36 | 101 | 94 | 8k+ | Output is not escaped | ||
| #2483 | BlockStrap Page Builder – Bootstrap Blocks | 36 | 81 | 89 | 2k+ | Missing direct file access protection | ||
| #2484 | Blog, Posts and Category Filter for Elementor | 36 | 159 | 55 | 1k+ | Text Domain Mismatch | ||
| #2485 | BP Disable Activation Reloaded | 36 | 147 | 28 | 800 | Output is not escaped | ||
| #2486 | BP Group Documents | 36 | 27 | 195 | 600 | Non-prefixed global variable | ||
| #2487 | BP Profile Search | 36 | 321 | 85 | 5k+ | Output is not escaped | ||
| #2488 | bpost shipping | 36 | 97 | 43 | 700 | Output is not escaped | ||
| #2489 | Breadcrumb NavXT | 36 | 102 | 111 | 800k+ | Non Singular String Literal Domain | ||
| #2490 | Bulgarisation for WooCommerce | 36 | 135 | 594 | 5k+ | Nonce verification recommended | ||
| #2491 | WOLF – WordPress Posts Bulk Editor and Manager Professional | 36 | 1 | 574 | 4k+ | Request data is not unslashed | ||
| #2492 | Bulk Post Update Date | 36 | 96 | 66 | 10k+ | Unsafe printing function | ||
| #2493 | Bus Ticket Booking with Seat Reservation | 36 | 145 | 192 | 800 | Non-prefixed global variable | ||
| #2494 | Better WordPress Recent Comments | 36 | 319 | 69 | 600 | Text Domain Mismatch | ||
| #2495 | Carousel Ultimate | 36 | 450 | 284 | 700 | Text Domain Mismatch | ||
| #2496 | Carousel Horizontal Posts Content Slider | 36 | 271 | 59 | 2k+ | Text Domain Mismatch | ||
| #2497 | Cashflows for WooCommerce | 36 | 119 | 36 | 600 | Text Domain Mismatch | ||
| #2498 | Simple SEO | 36 | 164 | 113 | 10k+ | Non Singular String Literal Domain | ||
| #2499 | Contact Form 7 Gated Content | 36 | 122 | 36 | 800 | Short PHP open tag found | ||
| #2500 | Multi Step for Contact Form 7 | 36 | 61 | 106 | 10k+ | Missing nonce verification |