WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2701 | CookieAdmin – Cookie Consent Banner | 37 | 43 | 86 | 400k+ | Nonce verification recommended | ||
| #2702 | CorvusPay WooCommerce Payment Gateway | 37 | 29 | 141 | 1k+ | Missing nonce verification | ||
| #2703 | Crafty Social Buttons | 37 | 279 | 27 | 900 | Non Singular String Literal Domain | ||
| #2704 | Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter | 37 | 151 | 61 | 600 | Output is not escaped | ||
| #2705 | Simple Custom CSS and JS | 37 | 168 | 69 | 600k+ | Output is not escaped | ||
| #2706 | Custom CSS Manager | 37 | 55 | 20 | 1k+ | Output is not escaped | ||
| #2707 | Custom Post Template | 37 | 48 | 30 | 10k+ | Output is not escaped | ||
| #2708 | Customer Email Verification for WooCommerce | 37 | 165 | 164 | 2k+ | Nonce verification recommended | ||
| #2709 | Debug Log Viewer | 37 | 26 | 83 | 1k+ | Missing nonce verification | ||
| #2710 | Donation Block For PayPal | 37 | 23 | 106 | 600 | Input is not validated | ||
| #2711 | DSGVO/GDPR Cookies, DSE, Impressum & Google Fonts Proxy | 37 | 391 | 25 | 700 | Text Domain Mismatch | ||
| #2712 | Duo Two-Factor Authentication | 37 | 44 | 61 | 3k+ | Missing nonce verification | ||
| #2713 | Easy Photo Album | 37 | 360 | 43 | 1k+ | Text Domain Mismatch | ||
| #2714 | Pricing Table WordPress Plugin – Easy Pricing Tables | 37 | 332 | 161 | 10k+ | Output is not escaped | ||
| #2715 | Easy Testimonial Slider and Form | 37 | 14 | 144 | 700 | Request data is not unslashed | ||
| #2716 | EasyMe Connect | 37 | 130 | 45 | 500 | Text Domain Mismatch | ||
| #2717 | Eazy CF Captcha | 37 | 93 | 54 | 500 | Text Domain Mismatch | ||
| #2718 | WP eBay Product Feeds | 37 | 136 | 31 | 700 | Output is not escaped | ||
| #2719 | Excerpt Editor | 37 | 170 | 142 | 500 | Unsafe printing function | ||
| #2720 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable | ||
| #2721 | Facturare WooCommerce | 37 | 158 | 106 | 3k+ | Text Domain Mismatch | ||
| #2722 | 果果推送 | 37 | 31 | 56 | 1k+ | Nonce verification recommended | ||
| #2723 | Gmail SMTP | 37 | 85 | 71 | 10k+ | Unsafe printing function | ||
| #2724 | GHL Gravity Bridge – Send Gravity Forms leads to GHL CRM | 37 | 59 | 269 | 600 | Direct Query | ||
| #2725 | GoCache | 37 | 273 | 43 | 900 | Non Singular String Literal Domain | ||
| #2726 | XML Sitemap Generator for Google | 37 | 43 | 79 | 1m+ | Input is not validated | ||
| #2727 | GoPay for WooCommerce | 37 | 66 | 103 | 1k+ | Non-prefixed global variable | ||
| #2728 | GS Portfolio for Envato | 37 | 155 | 75 | 4k+ | Text Domain Mismatch | ||
| #2729 | Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder | 37 | 83 | 113 | 20k+ | SQL query is not prepared | ||
| #2730 | HandL UTM Grabber / Tracker | 37 | 31 | 146 | 10k+ | Missing nonce verification | ||
| #2731 | Horizontal scrolling announcements | 37 | 215 | 140 | 8k+ | Output is not escaped | ||
| #2732 | HT Builder – WordPress Theme Builder for Elementor | 37 | 142 | 41 | 1k+ | Output is not escaped | ||
| #2733 | HT Menu – WordPress Mega Menu Builder for Elementor | 37 | 302 | 58 | 3k+ | Text Domain Mismatch | ||
| #2734 | .htaccess Site Access Control | 37 | 54 | 67 | 800 | Input is not sanitized | ||
| #2735 | Humans TXT | 37 | 159 | 86 | 400 | Output is not escaped | ||
| #2736 | Image Optimizer by 10web – Image Optimizer and Compression plugin | 37 | 244 | 45 | 3k+ | Text Domain Mismatch | ||
| #2737 | Images Optimize and Upload CF7 | 37 | 130 | 36 | 600 | Non Singular String Literal Domain | ||
| #2738 | Images to WebP | 37 | 39 | 50 | 9k+ | curl curl setopt | ||
| #2739 | Injection Guard | 37 | 86 | 45 | 1k+ | Unsafe printing function | ||
| #2740 | Job Manager & Career – Manage job board listings, and recruitments | 37 | 112 | 205 | 2k+ | Missing nonce verification | ||
| #2741 | JS Help Desk – AI-Powered Support & Ticketing System | 37 | 17 | 406 | 7k+ | Missing nonce verification | ||
| #2742 | JVM Rich Text Icons | 37 | 87 | 34 | 3k+ | Output is not escaped | ||
| #2743 | Language Switcher | 37 | 81 | 105 | 1k+ | Missing Translators Comment | ||
| #2744 | LH Archived Post Status | 37 | 150 | 64 | 3k+ | Text Domain Mismatch | ||
| #2745 | List category posts | 37 | 161 | 17 | 80k+ | Output is not escaped | ||
| #2746 | PiWeb Live sales notification for WooCommerce | 37 | 289 | 77 | 30k+ | Text Domain Mismatch | ||
| #2747 | LiveAgent – Omnichannel Help Desk & Live Chat Software | 37 | 125 | 142 | 400 | Non Singular String Literal Domain | ||
| #2748 | LiveJournal Importer | 37 | 86 | 67 | 8k+ | Output is not escaped | ||
| #2749 | MailingBoss WP Plugin | 37 | 108 | 30 | 600 | Output is not escaped | ||
| #2750 | Maintenance Page | 37 | 62 | 33 | 3k+ | Output is not escaped |