WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2601 | Advance Side Cart, Ajax Cart & Floating Cart for WooCommerce | 36 | 37 | 121 | 6k+ | Non-prefixed global variable | ||
| #2602 | The Events Calendar Shortcode & Block | 36 | 70 | 127 | 10k+ | Non-prefixed hook name | ||
| #2603 | Toolbox for Asgaros Forum | 36 | 150 | 84 | 1k+ | Output is not escaped | ||
| #2604 | Plugin Name: Traffic Counter Widget Plugin | 36 | 71 | 107 | 600 | Output is not escaped | ||
| #2605 | Zoho ZeptoMail | 36 | 32 | 110 | 5k+ | Request data is not unslashed | ||
| #2606 | TrustMate.io – WooCommerce integration | 36 | 255 | 101 | 3k+ | Output is not escaped | ||
| #2607 | FOMO & Social Proof Notifications by TrustPulse – Best WordPress FOMO Plugin | 36 | 104 | 39 | 10k+ | Output is not escaped | ||
| #2608 | Ubigeo de Perú para Woocommerce y WordPress | 36 | 191 | 235 | 4k+ | Non-prefixed function | ||
| #2609 | Slider Ultimate | 36 | 294 | 80 | 500 | Output is not escaped | ||
| #2610 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #2611 | PDF Flipbook, WPBakery Addon – Unreal FlipBook | 36 | 400 | 92 | 1k+ | Non Singular String Literal Domain | ||
| #2612 | User Roles and Capabilities | 36 | 227 | 132 | 8k+ | Output is not escaped | ||
| #2613 | Video Thumbnails Reloaded | 36 | 343 | 58 | 2k+ | Text Domain Mismatch | ||
| #2614 | VK Post Author Display | 36 | 87 | 113 | 10k+ | Non-prefixed function | ||
| #2615 | W4 Post List | 36 | 49 | 137 | 3k+ | Non-prefixed global variable | ||
| #2616 | Wanderlust OCA para WooCommerce | 36 | 157 | 55 | 500 | Text Domain Mismatch | ||
| #2617 | WC Builder – WooCommerce Page Builder for WPBakery | 36 | 647 | 50 | 1k+ | Text Domain Mismatch | ||
| #2618 | Out of Stock Message Manager for WooCommerce | 36 | 293 | 95 | 2k+ | Text Domain Mismatch | ||
| #2619 | WC Pickup Store | 36 | 245 | 52 | 2k+ | Output is not escaped | ||
| #2620 | Quantity Plus Minus Button for WooCommerce | 36 | 83 | 84 | 10k+ | Output is not escaped | ||
| #2621 | Conditional Payments and Shipping for WooCommerce | 36 | 337 | 27 | 1k+ | Text Domain Mismatch | ||
| #2622 | Shipping with Venipak for WooCommerce | 36 | 239 | 61 | 1k+ | Text Domain Mismatch | ||
| #2623 | When Last Login | 36 | 52 | 123 | 50k+ | Non-prefixed global variable | ||
| #2624 | Disable Payment Methods based on cart conditions for WooCommerce | 36 | 158 | 57 | 1k+ | Non Singular String Literal Domain | ||
| #2625 | Custom Add to Cart Button Label and Link for WooCommerce | 36 | 371 | 112 | 3k+ | Text Domain Mismatch | ||
| #2626 | Guaranteed Reviews Company (Société des Avis Garantis) | 36 | 369 | 197 | 1k+ | Output is not escaped | ||
| #2627 | Rabo Smart Pay for WooCommerce | 36 | 150 | 55 | 600 | Text Domain Mismatch | ||
| #2628 | Extended Coupon Features for WooCommerce FREE | 36 | 219 | 63 | 10k+ | Text Domain Mismatch | ||
| #2629 | CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce | 36 | 165 | 69 | 5k+ | Text Domain Mismatch | ||
| #2630 | Eway Payments for Woo | 36 | 525 | 40 | 3k+ | Text Domain Mismatch | ||
| #2631 | SuperFaktura WooCommerce | 36 | 60 | 116 | 2k+ | Nonce verification recommended | ||
| #2632 | Hide admin notices – Admin Notification Center | 36 | 114 | 67 | 8k+ | Output is not escaped | ||
| #2633 | WP Better Permalinks | 36 | 110 | 59 | 1k+ | Output is not escaped | ||
| #2634 | Export Themes | 36 | 122 | 90 | 2k+ | Non-prefixed constant | ||
| #2635 | WP Coder – Insert & Manage Code Snippets | 36 | 53 | 280 | 10k+ | Nonce verification recommended | ||
| #2636 | WP Counter | 36 | 86 | 43 | 800 | Output is not escaped | ||
| #2637 | WP-EMail | 36 | 340 | 95 | 1k+ | Unsafe printing function | ||
| #2638 | WP Header Images | 36 | 174 | 133 | 6k+ | Unsafe printing function | ||
| #2639 | WP LaTeX | 36 | 103 | 12 | 700 | Output is not escaped | ||
| #2640 | WP Mail | 36 | 202 | 201 | 500 | Output is not escaped | ||
| #2641 | Payment Button for PayPal | 36 | 155 | 86 | 4k+ | Unsafe printing function | ||
| #2642 | WP Publication Archive | 36 | 197 | 64 | 400 | Text Domain Mismatch | ||
| #2643 | WP Responsive Menu | 36 | 295 | 139 | 30k+ | Text Domain Mismatch | ||
| #2644 | WP Hardening (discontinued) | 36 | 230 | 85 | 10k+ | Text Domain Mismatch | ||
| #2645 | WP Show Posts | 36 | 107 | 102 | 70k+ | Output is not escaped | ||
| #2646 | WP Socializer – Simple & Easy Social Media Share Icons | 36 | 214 | 51 | 10k+ | Output is not escaped | ||
| #2647 | WP Sort Order | 36 | 134 | 211 | 6k+ | Direct Query | ||
| #2648 | WP Stripe Checkout | 36 | 198 | 118 | 1k+ | Unsafe printing function | ||
| #2649 | WP Super Edit | 36 | 35 | 185 | 2k+ | Nonce verification recommended | ||
| #2650 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped |