WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2551 | Legal Text Connector of the IT-Recht Kanzlei | 36 | 45 | 46 | 10k+ | Exception output is not escaped | ||
| #2552 | Linkable Title Html and Php Widget | 36 | 108 | 31 | 600 | Output is not escaped | ||
| #2553 | Login as User | 36 | 101 | 64 | 30k+ | Output is not escaped | ||
| #2554 | LocalWeb All In One | 36 | 34 | 297 | 5k+ | Non-prefixed global variable | ||
| #2555 | MailMunch – Grow your Email List | 36 | 102 | 49 | 6k+ | Output is not escaped | ||
| #2556 | Manage Notification E-mails | 36 | 129 | 98 | 100k+ | Non-prefixed function | ||
| #2557 | Materialis Companion | 36 | 129 | 67 | 6k+ | Unsafe printing function | ||
| #2558 | Media Deduper | 36 | 60 | 99 | 9k+ | Missing Arg Domain | ||
| #2559 | Microsoft Clarity | 36 | 48 | 163 | 200k+ | Nonce verification recommended | ||
| #2560 | Mobile Menu Builder for WordPress | 36 | 81 | 33 | 600 | Output is not escaped | ||
| #2561 | 코드엠샵 마이사이트 – MSHOP MY SITE | 36 | 58 | 55 | 800 | Output is not escaped | ||
| #2562 | Multiple Sidebars | 36 | 109 | 75 | 600 | Non Singular String Literal Domain | ||
| #2563 | WP Sticky Sidebar – Floating Sidebar On Scroll for Any Theme | 36 | 93 | 84 | 10k+ | Non-prefixed global variable | ||
| #2564 | News Manager | 36 | 134 | 57 | 600 | Output is not escaped | ||
| #2565 | News Ticker for Elementor | 36 | 76 | 57 | 2k+ | Text Domain Mismatch | ||
| #2566 | NextGEN Custom Fields | 36 | 215 | 131 | 1k+ | SQL query is not prepared | ||
| #2567 | MailerLite – Signup forms (official) | 36 | 430 | 158 | 100k+ | Output is not escaped | ||
| #2568 | We’re Open! | 36 | 273 | 187 | 5k+ | Unsafe printing function | ||
| #2569 | Order Status History for WooCommerce | 36 | 210 | 171 | 1k+ | Output is not escaped | ||
| #2570 | Ovation Elements | 36 | 23 | 399 | 10k+ | Non-prefixed global variable | ||
| #2571 | Ozh' Admin Drop Down Menu | 36 | 125 | 43 | 3k+ | Output is not escaped | ||
| #2572 | PayTR Sanal POS WooCommerce – iFrame API | 36 | 117 | 54 | 10k+ | Output is not escaped | ||
| #2573 | PDF Forms Filler for CF7 | 36 | 185 | 79 | 3k+ | Text Domain Mismatch | ||
| #2574 | PDF Forms Filler for WPForms | 36 | 161 | 54 | 600 | Text Domain Mismatch | ||
| #2575 | Peter’s Post Notes | 36 | 224 | 102 | 3k+ | Output is not escaped | ||
| #2576 | Photonic Gallery & Lightbox for Flickr, SmugMug & Others | 36 | 180 | 117 | 10k+ | Missing Translators Comment | ||
| #2577 | Photoswipe Masonry Gallery | 36 | 57 | 47 | 6k+ | Non Singular String Literal Text | ||
| #2578 | Plugins Garbage Collector (Database Cleanup) | 36 | 32 | 51 | 10k+ | Missing nonce verification | ||
| #2579 | Post Views Stats Counter | 36 | 142 | 241 | 700 | Non-prefixed global variable | ||
| #2580 | ActiveCampaign Postmark for WordPress | 36 | 47 | 75 | 50k+ | Text Domain Mismatch | ||
| #2581 | WowStore – Store Builder & Product Blocks for WooCommerce | 36 | 56 | 437 | 4k+ | Non-prefixed global variable | ||
| #2582 | افزونه رسمی ترب | 36 | 42 | 86 | 30k+ | Exception output is not escaped | ||
| #2583 | Qubely – Advanced Gutenberg Blocks | 36 | 39 | 78 | 8k+ | Request data is not unslashed | ||
| #2584 | Quick 301 Redirects | 36 | 89 | 120 | 5k+ | Non-prefixed global variable | ||
| #2585 | Direct Checkout – Quick View – Buy Now For WooCommerce | 36 | 90 | 112 | 2k+ | Missing nonce verification | ||
| #2586 | Better Find and Replace – AI-Powered Suggestions | 36 | 67 | 129 | 40k+ | Missing direct file access protection | ||
| #2587 | Recent Posts | 36 | 106 | 30 | 500 | Text Domain Mismatch | ||
| #2588 | Optimize Database after Deleting Revisions | 36 | 644 | 127 | 60k+ | Output is not escaped | ||
| #2589 | Search & Replace | 36 | 50 | 53 | 100k+ | Missing nonce verification | ||
| #2590 | Search Everything | 36 | 165 | 77 | 10k+ | Text Domain Mismatch | ||
| #2591 | Speed Optimizer – The All-In-One Performance-Boosting Plugin | 36 | 45 | 96 | 1m+ | Non-prefixed hook name | ||
| #2592 | Snippet Shortcodes | 36 | 380 | 149 | 4k+ | Non Singular String Literal Domain | ||
| #2593 | SMTP for SendGrid – YaySMTP | 36 | 27 | 96 | 1k+ | Non-prefixed global variable | ||
| #2594 | StaticPress | 36 | 88 | 79 | 500 | Output is not escaped | ||
| #2595 | Subscribe to Comments | 36 | 129 | 163 | 10k+ | Output is not escaped | ||
| #2596 | Supplier Order Email | 36 | 54 | 105 | 400 | Output is not escaped | ||
| #2597 | Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder | 36 | 162 | 40 | 200k+ | Output is not escaped | ||
| #2598 | SurveyJS: Drag & Drop Form Builder | 36 | 12 | 134 | 500 | Missing Version | ||
| #2599 | Sync QCloud COS | 36 | 63 | 109 | 600 | Non-prefixed function | ||
| #2600 | Bulk Product Editor plugin allows you to create and edit your WooCommerce products and categories with Google Sheets. | 36 | 50 | 105 | 400 | Direct Query |