WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2651 | Yandex.Metrica | 36 | 76 | 30 | 60k+ | Output is not escaped | ||
| #2652 | WPAvatar | 36 | 425 | 45 | 700 | Unsafe printing function | ||
| #2653 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #2654 | WPLMS H5P | 36 | 111 | 106 | 1k+ | Text Domain Mismatch | ||
| #2655 | Wppao Sitemap | 36 | 128 | 21 | 9k+ | Output is not escaped | ||
| #2656 | wpShopGermany IT-RECHT KANZLEI | 36 | 37 | 47 | 500 | Input is not sanitized | ||
| #2657 | YayExtra – WooCommerce Extra Product Options | 36 | 11 | 472 | 1k+ | Non-prefixed global variable | ||
| #2658 | Visual CSS Style Editor | 36 | 283 | 233 | 40k+ | Output is not escaped | ||
| #2659 | Custom Product Tabs for WooCommerce | 36 | 87 | 81 | 80k+ | Output is not escaped | ||
| #2660 | 360 Javascript Viewer | 37 | 144 | 22 | 1k+ | Output is not escaped | ||
| #2661 | Redirectioner | 37 | 234 | 410 | 1k+ | Output is not escaped | ||
| #2662 | ACF: TablePress | 37 | 160 | 45 | 1k+ | Text Domain Mismatch | ||
| #2663 | Adapta RGPD | 37 | 349 | 72 | 40k+ | Text Domain Mismatch | ||
| #2664 | Adaptive Images for WordPress | 37 | 51 | 75 | 3k+ | Output is not escaped | ||
| #2665 | Add From Server | 37 | 52 | 20 | 60k+ | Output is not escaped | ||
| #2666 | AddToAny Share Buttons | 37 | 123 | 164 | 300k+ | Unsafe printing function | ||
| #2667 | Add to Cart Redirect for WooCommerce | 37 | 215 | 141 | 8k+ | Text Domain Mismatch | ||
| #2668 | Advanced Accordion Gutenberg Block – Create Beautiful FAQs, Content Accordions & Interactive Tabs | 37 | 39 | 36 | 10k+ | Missing direct file access protection | ||
| #2669 | PiWeb Advanced Flat rate / Conditional shipping for WooCommerce | 37 | 84 | 192 | 2k+ | wp function not compatible with requires wp | ||
| #2670 | Agreeable | 37 | 40 | 67 | 800 | Unsafe printing function | ||
| #2671 | AJAX Hits Counter + Popular Posts Widget | 37 | 247 | 44 | 900 | Output is not escaped | ||
| #2672 | Analytics Spam Blocker | 37 | 76 | 22 | 800 | Unsafe printing function | ||
| #2673 | Antom Payments | 37 | 62 | 73 | 800 | badly named files | ||
| #2674 | All-in-one Chat Button by anychat.one | 37 | 119 | 69 | 900 | Text Domain Mismatch | ||
| #2675 | Anything Popup | 37 | 164 | 185 | 2k+ | Non-prefixed global variable | ||
| #2676 | Apaczka: integracja z WooCommerce | 37 | 8 | 316 | 3k+ | Non-prefixed global variable | ||
| #2677 | Login by Auth0 | 37 | 307 | 82 | 10k+ | Text Domain Mismatch | ||
| #2678 | authLdap | 37 | 46 | 30 | 4k+ | Exception output is not escaped | ||
| #2679 | avalex – Automatisch sichere Rechtstexte | 37 | 25 | 85 | 1k+ | Direct Query | ||
| #2680 | AZAN Plugin | 37 | 44 | 30 | 500 | Output is not escaped | ||
| #2681 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | 37 | 104 | 174 | 1k+ | Output is not escaped | ||
| #2682 | Custom Thank You Page Customize For WooCommerce by Binary Carpenter | 37 | 45 | 80 | 2k+ | error log error log | ||
| #2683 | Better Click To Share – Shareable Quote Boxes for X (Twitter) | 37 | 170 | 59 | 6k+ | Unsafe printing function | ||
| #2684 | Blimply | 37 | 172 | 43 | 800 | Text Domain Mismatch | ||
| #2685 | Blog News Addons For Elementor (News, Magazine and Blog Addons) | 37 | 23 | 296 | 400 | Non-prefixed global variable | ||
| #2686 | Customize WordPress Emails and Alerts – Better Notifications for WP | 37 | 64 | 47 | 30k+ | Missing Arg Domain | ||
| #2687 | Booster Extension | 37 | 28 | 289 | 7k+ | Non-prefixed global variable | ||
| #2688 | Britetechs Companion | 37 | 966 | 613 | 2k+ | Text Domain Mismatch | ||
| #2689 | BuddyPress Members Only | 37 | 184 | 80 | 1k+ | Text Domain Mismatch | ||
| #2690 | bunny.net – WordPress CDN Plugin | 37 | 165 | 159 | 10k+ | Output is not escaped | ||
| #2691 | Delivery Date Time & Pickup for WooCommerce | 37 | 148 | 216 | 400 | Output is not escaped | ||
| #2692 | Catalog Booster & Product Catalog Mode for WooCommerce | 37 | 106 | 168 | 1k+ | Non-prefixed function | ||
| #2693 | Checkout for PayPal | 37 | 134 | 67 | 600 | Unsafe printing function | ||
| #2694 | Clearpay Gateway for WooCommerce | 37 | 185 | 63 | 1k+ | Text Domain Mismatch | ||
| #2695 | ClickCease Click Fraud Protection | 37 | 30 | 58 | 10k+ | Non-prefixed class | ||
| #2696 | ClickRank – Ai SEO Automation | 37 | 10 | 226 | 1k+ | Direct Query | ||
| #2697 | CodePeople Post Map for Google Maps | 37 | 257 | 31 | 3k+ | Unsafe printing function | ||
| #2698 | Lightweight Subscribe To Comments | 37 | 105 | 70 | 1k+ | Unsafe printing function | ||
| #2699 | PiWeb Conditional cart fee / Extra charge rule for WooCommerce | 37 | 164 | 214 | 2k+ | Text Domain Mismatch | ||
| #2700 | Constant Contact Forms by MailMunch | 37 | 147 | 53 | 2k+ | wp function not compatible with requires wp |