WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2801 | Swifty Bar, sticky bar by WPGens | 37 | 112 | 81 | 400 | Output is not escaped | ||
| #2802 | Time Clock – A WordPress Employee & Volunteer Time Clock Plugin | 37 | 166 | 107 | 500 | Output is not escaped | ||
| #2803 | Tracking Code Manager | 37 | 55 | 42 | 90k+ | Output is not escaped | ||
| #2804 | Tracking Script Manager | 37 | 82 | 57 | 2k+ | Non Singular String Literal Domain | ||
| #2805 | Ultimate WordPress Auction Plugin | 37 | 623 | 142 | 1k+ | Text Domain Mismatch | ||
| #2806 | Landing Page Builder – Free Landing Page Templates | 37 | 329 | 111 | 600 | Output is not escaped | ||
| #2807 | Ultimate Tag Cloud Widget | 37 | 715 | 16 | 4k+ | Output is not escaped | ||
| #2808 | User Meta Display | 37 | 78 | 74 | 500 | Output is not escaped | ||
| #2809 | UsersWP – Social Login | 37 | 299 | 91 | 2k+ | Text Domain Mismatch | ||
| #2810 | ValidateCertify Free | 37 | 123 | 97 | 1k+ | Text Domain Mismatch | ||
| #2811 | Varnish/Nginx Proxy Caching | 37 | 287 | 36 | 600 | Output is not escaped | ||
| #2812 | ViaBill – WooCommerce | 37 | 437 | 86 | 500 | Text Domain Mismatch | ||
| #2813 | Virtual Classroom – Video Conferencing & Online Meeting with BigBlueButton | 37 | 45 | 140 | 400 | Nonce verification recommended | ||
| #2814 | Featured Video for WordPress – VideographyWP | 37 | 287 | 93 | 1k+ | Unsafe printing function | ||
| #2815 | Views for WPForms – Display & Edit WPForms Entries on your site frontend | 37 | 80 | 64 | 1k+ | Output is not escaped | ||
| #2816 | Innovs WPBakery Visual Composer WHMCS Elements | 37 | 154 | 24 | 2k+ | Text Domain Mismatch | ||
| #2817 | Weather Atlas Widget | 37 | 630 | 111 | 8k+ | Output is not escaped | ||
| #2818 | Widget Box Lite | 37 | 318 | 17 | 900 | Output is not escaped | ||
| #2819 | Conditional Discounts for WooCommerce – A simple yet complete woocommerce dynamic pricing plugin | 37 | 99 | 33 | 9k+ | Text Domain Mismatch | ||
| #2820 | Orders Tracking for WooCommerce | 37 | 7 | 312 | 10k+ | Request data is not unslashed | ||
| #2821 | Módulo PagSeguro | 37 | 90 | 46 | 1k+ | Unsafe printing function | ||
| #2822 | Piraeus Bank WooCommerce Payment Gateway | 37 | 146 | 104 | 3k+ | Non Singular String Literal Domain | ||
| #2823 | SUMIT Payment Gateway for WooCommerce | 37 | 358 | 74 | 1k+ | Text Domain Mismatch | ||
| #2824 | Variation Swatches for WooCommerce | 37 | 92 | 103 | 10k+ | Output is not escaped | ||
| #2825 | Xendit Payment | 37 | 3 | 197 | 3k+ | Missing nonce verification | ||
| #2826 | Amazon Pay for WooCommerce | 37 | 29 | 117 | 10k+ | Non-prefixed class | ||
| #2827 | WP WooCommerce Mailchimp | 37 | 62 | 85 | 6k+ | Non-prefixed hook name | ||
| #2828 | WooCommerce PayPal Payments | 37 | 194 | 110 | 800k+ | Exception output is not escaped | ||
| #2829 | Quickpay for WooCommerce | 37 | 66 | 56 | 4k+ | Nonce verification recommended | ||
| #2830 | Wordable – Export Google Docs to WordPress | 37 | 47 | 63 | 2k+ | Output is not escaped | ||
| #2831 | Hustle – Email Marketing, Lead Generation, Optins, Popups | 37 | 4,894 | 5,942 | 90k+ | Non-prefixed global variable | ||
| #2832 | Fix Media Library | 37 | 53 | 71 | 1k+ | Output is not escaped | ||
| #2833 | WP Category Permalink | 37 | 75 | 31 | 2k+ | Output is not escaped | ||
| #2834 | WP-Cron Control | 37 | 54 | 22 | 1k+ | Output is not escaped | ||
| #2835 | WP Export Categories & Taxonomies | 37 | 169 | 35 | 500 | Output is not escaped | ||
| #2836 | WPForce Logout – WordPress User Login Logout Management Plugin | 37 | 567 | 32 | 8k+ | Output is not escaped | ||
| #2837 | WP FullCalendar | 37 | 32 | 64 | 8k+ | Nonce verification recommended | ||
| #2838 | WP Image Markers – Easy Hotspot Solution | 37 | 179 | 66 | 700 | Text Domain Mismatch | ||
| #2839 | WP Flow Plus | 37 | 175 | 146 | 800 | Output is not escaped | ||
| #2840 | WP PageNavi Style | 37 | 109 | 11 | 8k+ | Unsafe printing function | ||
| #2841 | Persistent Login | 37 | 338 | 108 | 6k+ | Unsafe printing function | ||
| #2842 | WP Plugin Info Card | 37 | 53 | 376 | 500 | Nonce verification recommended | ||
| #2843 | ReCaptcha Integration for WordPress | 37 | 60 | 66 | 9k+ | Output is not escaped | ||
| #2844 | WP Show Stats | 37 | 197 | 103 | 400 | Output is not escaped | ||
| #2845 | TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More | 37 | 878 | 59 | 800 | Output is not escaped | ||
| #2846 | WPElemento Importer | 37 | 121 | 88 | 9k+ | Text Domain Mismatch | ||
| #2847 | WPO365 | MICROSOFT 365 GRAPH MAILER | 37 | 112 | 83 | 10k+ | Text Domain Mismatch | ||
| #2848 | WP VR – 360 Panorama and Virtual Tour Builder | 37 | 3 | 275 | 10k+ | Non-prefixed hook name | ||
| #2849 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #2850 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch |