WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2501 | Contact Form 7 Polylang Module | 36 | 32 | 45 | 5k+ | Output is not escaped | ||
| #2502 | CloudPayments Gateway for WooCommerce | 36 | 205 | 70 | 500 | Text Domain Mismatch | ||
| #2503 | CLP – Custom Login Page by NiteoThemes | 36 | 240 | 49 | 700 | Output is not escaped | ||
| #2504 | CM Header and Footer – Add custom scripts and styles to your header and footer with ease | 36 | 230 | 198 | 1k+ | Output is not escaped | ||
| #2505 | Code Snippets | 36 | 34 | 203 | 1m+ | Nonce verification recommended | ||
| #2506 | ColorMeShop WordPress Plugin | 36 | 392 | 37 | 600 | Exception output is not escaped | ||
| #2507 | Coming Soon, Under Construction & Maintenance Mode By Dazzler | 36 | 173 | 132 | 6k+ | Text Domain Mismatch | ||
| #2508 | Conditional Payments for WooCommerce | 36 | 292 | 184 | 10k+ | Text Domain Mismatch | ||
| #2509 | Conditional Shipping for WooCommerce | 36 | 93 | 196 | 10k+ | Non-prefixed global variable | ||
| #2510 | Continuous Image Carousel With Lightbox | 36 | 255 | 129 | 1k+ | Output is not escaped | ||
| #2511 | Crelly Slider | 36 | 421 | 185 | 10k+ | Unsafe printing function | ||
| #2512 | Custom Database Applications by Caspio | 36 | 32 | 63 | 400 | Input is not sanitized | ||
| #2513 | Custom PHP Settings | 36 | 153 | 76 | 10k+ | Output is not escaped | ||
| #2514 | Custom Category Post Order | 36 | 80 | 83 | 500 | Text Domain Mismatch | ||
| #2515 | Dashboard Widgets Suite | 36 | 206 | 124 | 4k+ | Output is not escaped | ||
| #2516 | Depicter — Popup & Slider Builder | 36 | 130 | 121 | 80k+ | Exception output is not escaped | ||
| #2517 | Different Menu in Different Pages – Conditional Menu | 36 | 167 | 113 | 4k+ | Text Domain Mismatch | ||
| #2518 | Doneren met Mollie | 36 | 420 | 351 | 4k+ | SQL query is not prepared | ||
| #2519 | Drag and Drop Multiple File Upload for Contact Form 7 | 36 | 82 | 36 | 60k+ | wp function not compatible with requires wp | ||
| #2520 | Duplicate Post – duplicate pages, copy content, clone posts | 36 | 76 | 81 | 5k+ | wp function not compatible with requires wp | ||
| #2521 | Dynamic Copyright Year | 36 | 972 | 43 | 800 | Output is not escaped | ||
| #2522 | Dynamic Front-End Heartbeat Control | 36 | 217 | 111 | 1k+ | Text Domain Mismatch | ||
| #2523 | Dynamic Visibility for Elementor | 36 | 56 | 89 | 50k+ | Non-prefixed hook name | ||
| #2524 | WP CTA – Call Now Button, Sticky Button & Call to Action Builder | 36 | 1 | 433 | 2k+ | Non-prefixed global variable | ||
| #2525 | Easy Support Videos – Embed videos in the admin | 36 | 160 | 95 | 500 | Output is not escaped | ||
| #2526 | Product Carousel Slider for Elementor | 36 | 148 | 63 | 1k+ | Text Domain Mismatch | ||
| #2527 | Email Before Download | 36 | 89 | 29 | 6k+ | Unsafe printing function | ||
| #2528 | Endora | 36 | 53 | 72 | 1k+ | Output is not escaped | ||
| #2529 | Enhanced Media Library | 36 | 361 | 117 | 60k+ | Unsafe printing function | ||
| #2530 | Enormail Sign Up Forms | 36 | 133 | 126 | 400 | Output is not escaped | ||
| #2531 | Events Manager and WPML Compatibility | 36 | 101 | 177 | 1k+ | Direct Query | ||
| #2532 | Export Variable Products | 36 | 79 | 49 | 400 | Text Domain Mismatch | ||
| #2533 | Happy WooCommerce FAQs – Ultimate Product FAQ Plugin | 36 | 65 | 119 | 1k+ | Nonce verification recommended | ||
| #2534 | FreePay for WooCommerce | 36 | 114 | 102 | 400 | Output is not escaped | ||
| #2535 | Friendly Functions for Welcart | 36 | 311 | 83 | 1k+ | Non Singular String Literal Domain | ||
| #2536 | GetPaid > Wallet | 36 | 174 | 227 | 700 | Text Domain Mismatch | ||
| #2537 | Google SEO Pressor for Rich snippets | 36 | 51 | 160 | 400 | Missing nonce verification | ||
| #2538 | Google Webfont Optimizer | 36 | 45 | 49 | 700 | Output is not escaped | ||
| #2539 | Gutena Kit – Gutenberg Blocks and Templates | 36 | 39 | 87 | 1k+ | Nonce verification recommended | ||
| #2540 | Header Footer Code Manager | 36 | 81 | 180 | 600k+ | Non-prefixed global variable | ||
| #2541 | Optimize Social Share | 36 | 203 | 61 | 3k+ | Unsafe printing function | ||
| #2542 | HTML Forms – Simple WordPress Forms Plugin | 36 | 231 | 166 | 10k+ | Output is not escaped | ||
| #2543 | HTML5 Maps | 36 | 194 | 160 | 5k+ | Output is not escaped | ||
| #2544 | HTTP Requests Manager | 36 | 98 | 90 | 1k+ | Output is not escaped | ||
| #2545 | Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS | 36 | 68 | 33 | 6k+ | Output is not escaped | ||
| #2546 | If-So Geolocation | 36 | 50 | 57 | 1k+ | Non-prefixed global variable | ||
| #2547 | Insert Headers and Footers Code – HT Script | 36 | 391 | 34 | 7k+ | Text Domain Mismatch | ||
| #2548 | IntelliWidget Per Page Custom Menus and Dynamic Content | 36 | 586 | 162 | 600 | Output is not escaped | ||
| #2549 | Italy Cookie Choices (for EU Cookie Law & Cookie Notice) | 36 | 115 | 77 | 10k+ | Unsafe printing function | ||
| #2550 | Just TinyMCE Custom Styles | 36 | 112 | 28 | 1k+ | Missing Arg Domain |