WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2501Contact Form 7 Polylang Module3632455k+Output is not escaped
#2502CloudPayments Gateway for WooCommerce3620570500Text Domain Mismatch
#2503CLP – Custom Login Page by NiteoThemes3624049700Output is not escaped
#2504CM Header and Footer – Add custom scripts and styles to your header and footer with ease362301981k+Output is not escaped
#2505Code Snippets36342031m+Nonce verification recommended
#2506ColorMeShop WordPress Plugin3639237600Exception output is not escaped
#2507Coming Soon, Under Construction & Maintenance Mode By Dazzler361731326k+Text Domain Mismatch
#2508Conditional Payments for WooCommerce3629218410k+Text Domain Mismatch
#2509Conditional Shipping for WooCommerce369319610k+Non-prefixed global variable
#2510Continuous Image Carousel With Lightbox362551291k+Output is not escaped
#2511Crelly Slider3642118510k+Unsafe printing function
#2512Custom Database Applications by Caspio363263400Input is not sanitized
#2513Custom PHP Settings361537610k+Output is not escaped
#2514Custom Category Post Order368083500Text Domain Mismatch
#2515Dashboard Widgets Suite362061244k+Output is not escaped
#2516Depicter — Popup & Slider Builder3613012180k+Exception output is not escaped
#2517Different Menu in Different Pages – Conditional Menu361671134k+Text Domain Mismatch
#2518Doneren met Mollie364203514k+SQL query is not prepared
#2519Drag and Drop Multiple File Upload for Contact Form 736823660k+wp function not compatible with requires wp
#2520Duplicate Post – duplicate pages, copy content, clone posts3676815k+wp function not compatible with requires wp
#2521Dynamic Copyright Year3697243800Output is not escaped
#2522Dynamic Front-End Heartbeat Control362171111k+Text Domain Mismatch
#2523Dynamic Visibility for Elementor36568950k+Non-prefixed hook name
#2524WP CTA – Call Now Button, Sticky Button & Call to Action Builder3614332k+Non-prefixed global variable
#2525Easy Support Videos – Embed videos in the admin3616095500Output is not escaped
#2526Product Carousel Slider for Elementor36148631k+Text Domain Mismatch
#2527Email Before Download3689296k+Unsafe printing function
#2528Endora3653721k+Output is not escaped
#2529Enhanced Media Library3636111760k+Unsafe printing function
#2530Enormail Sign Up Forms36133126400Output is not escaped
#2531Events Manager and WPML Compatibility361011771k+Direct Query
#2532Export Variable Products367949400Text Domain Mismatch
#2533Happy WooCommerce FAQs – Ultimate Product FAQ Plugin36651191k+Nonce verification recommended
#2534FreePay for WooCommerce36114102400Output is not escaped
#2535Friendly Functions for Welcart36311831k+Non Singular String Literal Domain
#2536GetPaid > Wallet36174227700Text Domain Mismatch
#2537Google SEO Pressor for Rich snippets3651160400Missing nonce verification
#2538Google Webfont Optimizer364549700Output is not escaped
#2539Gutena Kit – Gutenberg Blocks and Templates3639871k+Nonce verification recommended
#2540Header Footer Code Manager3681180600k+Non-prefixed global variable
#2541Optimize Social Share36203613k+Unsafe printing function
#2542HTML Forms – Simple WordPress Forms Plugin3623116610k+Output is not escaped
#2543HTML5 Maps361941605k+Output is not escaped
#2544HTTP Requests Manager3698901k+Output is not escaped
#2545Page Speed Optimizer: HTTP/2 Push, Async JavaScript, and Defer CSS3668336k+Output is not escaped
#2546If-So Geolocation3650571k+Non-prefixed global variable
#2547Insert Headers and Footers Code – HT Script36391347k+Text Domain Mismatch
#2548IntelliWidget Per Page Custom Menus and Dynamic Content36586162600Output is not escaped
#2549Italy Cookie Choices (for EU Cookie Law & Cookie Notice)361157710k+Unsafe printing function
#2550Just TinyMCE Custom Styles36112281k+Missing Arg Domain