WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2601Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce36371216k+Non-prefixed global variable
#2602The Events Calendar Shortcode & Block367012710k+Non-prefixed hook name
#2603Toolbox for Asgaros Forum36150841k+Output is not escaped
#2604Plugin Name: Traffic Counter Widget Plugin3671107600Output is not escaped
#2605Zoho ZeptoMail36321105k+Request data is not unslashed
#2606TrustMate.io – WooCommerce integration362551013k+Output is not escaped
#2607FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin361043910k+Output is not escaped
#2608Ubigeo de Perú para Woocommerce y WordPress361912354k+Non-prefixed function
#2609Slider Ultimate3629480500Output is not escaped
#2610underConstruction36986040k+Unsafe printing function
#2611PDF Flipbook, WPBakery Addon – Unreal FlipBook36400921k+Non Singular String Literal Domain
#2612User Roles and Capabilities362271328k+Output is not escaped
#2613Video Thumbnails Reloaded36343582k+Text Domain Mismatch
#2614VK Post Author Display368711310k+Non-prefixed function
#2615W4 Post List36491373k+Non-prefixed global variable
#2616Wanderlust OCA para WooCommerce3615755500Text Domain Mismatch
#2617WC Builder – WooCommerce Page Builder for WPBakery36647501k+Text Domain Mismatch
#2618Out of Stock Message Manager for WooCommerce36293952k+Text Domain Mismatch
#2619WC Pickup Store36245522k+Output is not escaped
#2620Quantity Plus Minus Button for WooCommerce36838410k+Output is not escaped
#2621Conditional Payments and Shipping for WooCommerce36337271k+Text Domain Mismatch
#2622Shipping with Venipak for WooCommerce36239611k+Text Domain Mismatch
#2623When Last Login365212350k+Non-prefixed global variable
#2624Disable Payment Methods based on cart conditions for WooCommerce36158571k+Non Singular String Literal Domain
#2625Custom Add to Cart Button Label and Link for WooCommerce363711123k+Text Domain Mismatch
#2626Guaranteed Reviews Company (Société des Avis Garantis)363691971k+Output is not escaped
#2627Rabo Smart Pay for WooCommerce3615055600Text Domain Mismatch
#2628Extended Coupon Features for WooCommerce FREE362196310k+Text Domain Mismatch
#2629CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce36165695k+Text Domain Mismatch
#2630Eway Payments for Woo36525403k+Text Domain Mismatch
#2631SuperFaktura WooCommerce36601162k+Nonce verification recommended
#2632Hide admin notices – Admin Notification Center36114678k+Output is not escaped
#2633WP Better Permalinks36110591k+Output is not escaped
#2634Export Themes36122902k+Non-prefixed constant
#2635WP Coder – Insert & Manage Code Snippets365328010k+Nonce verification recommended
#2636WP Counter368643800Output is not escaped
#2637WP-EMail36340951k+Unsafe printing function
#2638WP Header Images361741336k+Unsafe printing function
#2639WP LaTeX3610312700Output is not escaped
#2640WP Mail36202201500Output is not escaped
#2641Payment Button for PayPal36155864k+Unsafe printing function
#2642WP Publication Archive3619764400Text Domain Mismatch
#2643WP Responsive Menu3629513930k+Text Domain Mismatch
#2644WP Hardening (discontinued)362308510k+Text Domain Mismatch
#2645WP Show Posts3610710270k+Output is not escaped
#2646WP Socializer – Simple & Easy Social Media Share Icons362145110k+Output is not escaped
#2647WP Sort Order361342116k+Direct Query
#2648WP Stripe Checkout361981181k+Unsafe printing function
#2649WP Super Edit36351852k+Nonce verification recommended
#2650Yandex.Metrica36763060k+Output is not escaped