WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2851 | XT Visitor Counter | 37 | 177 | 52 | 7k+ | Output is not escaped | ||
| #2852 | Yada Wiki | 37 | 207 | 45 | 2k+ | Text Domain Mismatch | ||
| #2853 | YOURLS Link Creator | 37 | 196 | 39 | 500 | Text Domain Mismatch | ||
| #2854 | Zakeke Interactive Product Designer for WooCommerce | 37 | 186 | 177 | 2k+ | Nonce verification recommended | ||
| #2855 | Zoho Marketing Automation | 37 | 24 | 194 | 1k+ | Non-prefixed global variable | ||
| #2856 | Zendesk Chat | 37 | 44 | 67 | 10k+ | Output is not escaped | ||
| #2857 | Accessibility | 38 | 66 | 61 | 1k+ | Non-prefixed global variable | ||
| #2858 | AccessibleWP – Accessibility Toolbar | 38 | 381 | 26 | 20k+ | Text Domain Mismatch | ||
| #2859 | ACF-VC Integrator | 38 | 190 | 91 | 3k+ | Output is not escaped | ||
| #2860 | Parallax Scroll by adamrob.co.uk | 38 | 102 | 51 | 1k+ | Output is not escaped | ||
| #2861 | Add Customer for WooCommerce | 38 | 229 | 153 | 1k+ | Text Domain Mismatch | ||
| #2862 | Admin Bar Editor – Toolbar Customization with User Role based access & Custom menus | 38 | 56 | 46 | 3k+ | Output is not escaped | ||
| #2863 | Admin Bar & Dashboard Access Control | 38 | 94 | 37 | 3k+ | Text Domain Mismatch | ||
| #2864 | Admin Management Xtended | 38 | 280 | 161 | 5k+ | Output is not escaped | ||
| #2865 | AdRoll for WooCommerce Stores | 38 | 40 | 25 | 600 | Output is not escaped | ||
| #2866 | AWCA – The Great Analytics Insights for Your eStore | 38 | 238 | 143 | 2k+ | Output is not escaped | ||
| #2867 | Advanced 301 and 302 Redirect | 38 | 81 | 339 | 1k+ | Non-prefixed global variable | ||
| #2868 | Advanced Media Offloader | 38 | 57 | 93 | 5k+ | error log error log | ||
| #2869 | Advanced Sermons | 38 | 833 | 184 | 1k+ | Unsafe printing function | ||
| #2870 | Afterpay Gateway for WooCommerce | 38 | 183 | 62 | 10k+ | Text Domain Mismatch | ||
| #2871 | Alphabetic Pagination | 38 | 144 | 117 | 500 | Unsafe printing function | ||
| #2872 | Announce from the Dashboard | 38 | 138 | 24 | 7k+ | Non Singular String Literal Domain | ||
| #2873 | Announcement Bar | 38 | 192 | 61 | 3k+ | Non Singular String Literal Domain | ||
| #2874 | Any Mobile Theme Switcher | 38 | 69 | 59 | 20k+ | Output is not escaped | ||
| #2875 | Aplazame | 38 | 34 | 39 | 500 | Non-prefixed global variable | ||
| #2876 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #2877 | Ashe Extra | 38 | 109 | 54 | 3k+ | Text Domain Mismatch | ||
| #2878 | Attachments | 38 | 238 | 66 | 8k+ | Unsafe printing function | ||
| #2879 | Audio Story Images | 38 | 46 | 44 | 400 | Output is not escaped | ||
| #2880 | Author Category | 38 | 85 | 25 | 4k+ | Output is not escaped | ||
| #2881 | Auto Prune Posts | 38 | 54 | 57 | 1k+ | Output is not escaped | ||
| #2882 | Autologin Links | 38 | 73 | 74 | 8k+ | Output is not escaped | ||
| #2883 | Automatic Post Tagger | 38 | 592 | 307 | 2k+ | Output is not escaped | ||
| #2884 | bbPress Login Register Links On Forum Topic Pages | 38 | 142 | 36 | 600 | Text Domain Mismatch | ||
| #2885 | Beauty Form Styler for Gravity Forms | 38 | 70 | 93 | 600 | Output is not escaped | ||
| #2886 | Before After Image Comparison Slider for Elementor | 38 | 63 | 36 | 10k+ | Text Domain Mismatch | ||
| #2887 | Bible Verse of the Day | 38 | 378 | 23 | 3k+ | Unsafe printing function | ||
| #2888 | SoftTech-IT bKash, Rocket, Nagad | 38 | 164 | 81 | 6k+ | Text Domain Mismatch | ||
| #2889 | Blogger Importer | 38 | 44 | 39 | 50k+ | Output is not escaped | ||
| #2890 | Bot Block – Stop Spam Referrals in Google Analytics | 38 | 28 | 42 | 600 | Output is not escaped | ||
| #2891 | BuddyPress Follow | 38 | 114 | 67 | 1k+ | Text Domain Mismatch | ||
| #2892 | Cache Warmer | 38 | 32 | 219 | 1k+ | Interpolated SQL is not prepared | ||
| #2893 | Car Route Planner Plugin | 38 | 135 | 17 | 400 | Output is not escaped | ||
| #2894 | Category Posts Widget | 38 | 153 | 26 | 40k+ | Output is not escaped | ||
| #2895 | Cecabank WooCommerce Plugin | 38 | 63 | 32 | 3k+ | Text Domain Mismatch | ||
| #2896 | Certificate Verification | 38 | 33 | 40 | 1k+ | Output is not escaped | ||
| #2897 | Database for Contact Form 7 | 38 | 34 | 128 | 7k+ | Missing nonce verification | ||
| #2898 | Contact Form 7 – Post Fields | 38 | 167 | 25 | 3k+ | Text Domain Mismatch | ||
| #2899 | CF7 to Webhook | 38 | 102 | 72 | 30k+ | Unsafe printing function | ||
| #2900 | Checkout Files Upload for WooCommerce | 38 | 57 | 120 | 7k+ | Input is not sanitized |