WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2751 | Max Mega Menu | 37 | 249 | 174 | 300k+ | Output is not escaped | ||
| #2752 | Meks Video Importer | 37 | 62 | 239 | 2k+ | Input is not sanitized | ||
| #2753 | Metorik – Reports & Email Automation for WooCommerce | 37 | 75 | 70 | 10k+ | Output is not escaped | ||
| #2754 | CrawlWP SEO – Instant Search Engine Indexing & SEO Performance Monitor | 37 | 47 | 90 | 40k+ | Dynamic hook name | ||
| #2755 | Monobank WP Payment | 37 | 78 | 41 | 1k+ | Text Domain Mismatch | ||
| #2756 | My Post Order | 37 | 100 | 114 | 400 | Output is not escaped | ||
| #2757 | Nearby Now Reviews and Audio Testimonials | 37 | 66 | 67 | 1k+ | wp function not compatible with requires wp | ||
| #2758 | news ticker benaceur | 37 | 1,097 | 31 | 1k+ | Output is not escaped | ||
| #2759 | NextGEN Scroll Gallery | 37 | 33 | 28 | 1k+ | Output is not escaped | ||
| #2760 | Ninja Van (MY) | 37 | 21 | 258 | 1k+ | Non-prefixed global variable | ||
| #2761 | Off-Canvas Sidebars & Menus (Slidebars) | 37 | 457 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #2762 | Sendle Shipping Plugin | 37 | 91 | 64 | 800 | wp function not compatible with requires wp | ||
| #2763 | Oliver POS – WooCommerce POS for iPhone, iPad & Android | 37 | 15 | 242 | 800 | Interpolated SQL is not prepared | ||
| #2764 | WP All Export – Order Export for WooCommerce | 37 | 109 | 111 | 4k+ | Text Domain Mismatch | ||
| #2765 | OSM – OpenStreetMap | 37 | 130 | 64 | 10k+ | Output is not escaped | ||
| #2766 | Page scroll to id | 37 | 38 | 120 | 100k+ | Missing nonce verification | ||
| #2767 | PayU CommercePro Plugin | 37 | 218 | 7k+ | error log error log | |||
| #2768 | GoHero Store Customizer for WooCommerce | 37 | 75 | 53 | 600 | Unsafe printing function | ||
| #2769 | Phoenix Media Rename | 37 | 180 | 104 | 50k+ | Output is not escaped | ||
| #2770 | PNG to JPG | 37 | 130 | 173 | 10k+ | Interpolated SQL is not prepared | ||
| #2771 | POEditor | 37 | 78 | 140 | 500 | Output is not escaped | ||
| #2772 | Post Terms Order – per Post based | 37 | 70 | 36 | 2k+ | Output is not escaped | ||
| #2773 | Product page shipping calculator for WooCommerce | 37 | 217 | 117 | 1k+ | Text Domain Mismatch | ||
| #2774 | Publish to Schedule | 37 | 195 | 43 | 3k+ | Text Domain Mismatch | ||
| #2775 | Quantities and Units for WooCommerce | 37 | 133 | 118 | 1k+ | Output is not escaped | ||
| #2776 | Quentn WP | 37 | 4 | 251 | 500 | Nonce verification recommended | ||
| #2777 | Quick Restaurant Menu | 37 | 136 | 40 | 1k+ | Text Domain Mismatch | ||
| #2778 | Rich Table of Contents | 37 | 262 | 57 | 20k+ | Output is not escaped | ||
| #2779 | RSS for Yandex Zen | 37 | 240 | 100 | 4k+ | Unsafe printing function | ||
| #2780 | RSS Image Feed | 37 | 147 | 16 | 2k+ | Output is not escaped | ||
| #2781 | Ryviu – Review Importer & Product Reviews | 37 | 72 | 95 | 1k+ | Output is not escaped | ||
| #2782 | SB RSS feed plus | 37 | 172 | 24 | 1k+ | Output is not escaped | ||
| #2783 | Send PDF for Contact Form 7 | 37 | 22 | 308 | 9k+ | Non-prefixed global variable | ||
| #2784 | SendWP | 37 | 47 | 42 | 10k+ | Output is not escaped | ||
| #2785 | Sezzle Woocommerce Payment | 37 | 108 | 105 | 1k+ | Text Domain Mismatch | ||
| #2786 | Shortcoder — Create Shortcodes for Anything | 37 | 25 | 70 | 100k+ | Non-prefixed global variable | ||
| #2787 | Weaver Show Sliders | 37 | 177 | 132 | 900 | Text Domain Mismatch | ||
| #2788 | Simple Countdown Timer | 37 | 110 | 113 | 1k+ | Missing Arg Domain | ||
| #2789 | Simple Image XML Sitemap | 37 | 119 | 16 | 1k+ | Output is not escaped | ||
| #2790 | Lightbox slider – Responsive Lightbox Gallery | 37 | 36 | 173 | 3k+ | Non-prefixed global variable | ||
| #2791 | Site Offline Or Coming Soon Or Maintenance Mode | 37 | 127 | 138 | 30k+ | Unsafe printing function | ||
| #2792 | Skimlinks Affiliate Marketing Tool | 37 | 84 | 19 | 800 | wp function not compatible with requires wp | ||
| #2793 | Slider Pro | 37 | 78 | 260 | 2k+ | Non-prefixed global variable | ||
| #2794 | Smart Send Logistics | 37 | 92 | 81 | 400 | Output is not escaped | ||
| #2795 | Social Comments | 37 | 59 | 32 | 400 | Output is not escaped | ||
| #2796 | Spam Destroyer | 37 | 63 | 43 | 6k+ | rand rand | ||
| #2797 | StagTools | 37 | 476 | 53 | 1k+ | Text Domain Mismatch | ||
| #2798 | Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation | 37 | 42 | 33 | 10k+ | Output is not escaped | ||
| #2799 | SuperCPT | 37 | 172 | 27 | 600 | Output is not escaped | ||
| #2800 | Super Simple Site Offline | 37 | 115 | 59 | 6k+ | Text Domain Mismatch |