WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2851XT Visitor Counter37177527k+Output is not escaped
#2852Yada Wiki37207452k+Text Domain Mismatch
#2853YOURLS Link Creator3719639500Text Domain Mismatch
#2854Zakeke Interactive Product Designer for WooCommerce371861772k+Nonce verification recommended
#2855Zoho Marketing Automation37241941k+Non-prefixed global variable
#2856Zendesk Chat37446710k+Output is not escaped
#2857Accessibility3866611k+Non-prefixed global variable
#2858AccessibleWP – Accessibility Toolbar383812620k+Text Domain Mismatch
#2859ACF-VC Integrator38190913k+Output is not escaped
#2860Parallax Scroll by adamrob.co.uk38102511k+Output is not escaped
#2861Add Customer for WooCommerce382291531k+Text Domain Mismatch
#2862Admin Bar Editor – Toolbar Customization with User Role based access & Custom menus3856463k+Output is not escaped
#2863Admin Bar & Dashboard Access Control3894373k+Text Domain Mismatch
#2864Admin Management Xtended382801615k+Output is not escaped
#2865AdRoll for WooCommerce Stores384025600Output is not escaped
#2866AWCA – The Great Analytics Insights for Your eStore382381432k+Output is not escaped
#2867Advanced 301 and 302 Redirect38813391k+Non-prefixed global variable
#2868Advanced Media Offloader3857935k+error log error log
#2869Advanced Sermons388331841k+Unsafe printing function
#2870Afterpay Gateway for WooCommerce381836210k+Text Domain Mismatch
#2871Alphabetic Pagination38144117500Unsafe printing function
#2872Announce from the Dashboard38138247k+Non Singular String Literal Domain
#2873Announcement Bar38192613k+Non Singular String Literal Domain
#2874Any Mobile Theme Switcher38695920k+Output is not escaped
#2875Aplazame383439500Non-prefixed global variable
#2876Activity Log – Monitor & Record User Changes3881149200k+Nonce verification recommended
#2877Ashe Extra38109543k+Text Domain Mismatch
#2878Attachments38238668k+Unsafe printing function
#2879Audio Story Images384644400Output is not escaped
#2880Author Category3885254k+Output is not escaped
#2881Auto Prune Posts3854571k+Output is not escaped
#2882Autologin Links3873748k+Output is not escaped
#2883Automatic Post Tagger385923072k+Output is not escaped
#2884bbPress Login Register Links On Forum Topic Pages3814236600Text Domain Mismatch
#2885Beauty Form Styler for Gravity Forms387093600Output is not escaped
#2886Before After Image Comparison Slider for Elementor38633610k+Text Domain Mismatch
#2887Bible Verse of the Day38378233k+Unsafe printing function
#2888SoftTech-IT bKash, Rocket, Nagad38164816k+Text Domain Mismatch
#2889Blogger Importer38443950k+Output is not escaped
#2890Bot Block – Stop Spam Referrals in Google Analytics382842600Output is not escaped
#2891BuddyPress Follow38114671k+Text Domain Mismatch
#2892Cache Warmer38322191k+Interpolated SQL is not prepared
#2893Car Route Planner Plugin3813517400Output is not escaped
#2894Category Posts Widget381532640k+Output is not escaped
#2895Cecabank WooCommerce Plugin3863323k+Text Domain Mismatch
#2896Certificate Verification3833401k+Output is not escaped
#2897Database for Contact Form 738341287k+Missing nonce verification
#2898Contact Form 7 – Post Fields38167253k+Text Domain Mismatch
#2899CF7 to Webhook381027230k+Unsafe printing function
#2900Checkout Files Upload for WooCommerce38571207k+Input is not sanitized