WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2901Classic Editor Plus – WordPress Classic Editor plugin by Felix388342500Text Domain Mismatch
#2902Clever Mega Menu for Visual Composer38500871k+Output is not escaped
#2903Clever Mega Menu for Elementor38835441k+Output is not escaped
#2904Chatbot for WordPress by Collect.chat ⚡️3858366k+Unsafe printing function
#2905country-redirect385819400Text Domain Mismatch
#2906Crop-Thumbnails38332740k+Missing direct file access protection
#2907CRUDLab Disable Comments382054700Missing nonce verification
#2908One page checkout and layouts for woocommerce3883523k+Non-prefixed global variable
#2909Custom Menu Wizard Widget38326302k+Output is not escaped
#2910WP Page Templates389228400Non Singular String Literal Domain
#2911Custom post type templates for Elementor3828933700Text Domain Mismatch
#2912Customize Posts3831771k+Non-prefixed hook name
#2913Login Page Customizer – Customize Login Screen & Branding38361721k+Non-prefixed function
#2914Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included)3838183600Non-prefixed global variable
#2915Datafeedr Comparison Sets38450533k+Output is not escaped
#2916Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP383443020k+Text Domain Mismatch
#2917Decent Comments3893282k+Output is not escaped
#2918Responsive Pricing Table3830910510k+Non Singular String Literal Domain
#2919Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster38371025k+Interpolated SQL is not prepared
#2920Easy WP Cleaner38581242k+Non-prefixed global variable
#2921Easy Yandex Metrica389748900Output is not escaped
#2922Elemailer Lite – Elementor email template & campaign builder3844505k+Output is not escaped
#2923Email Encoder – Protect Email Addresses and Phone Numbers38915090k+Non-prefixed global variable
#2924PiWeb Product Enquiry or product catalog for WooCommerce382551451k+Text Domain Mismatch
#2925Erident Custom Login and Dashboard38122288k+Unsafe printing function
#2926EU Cookie Law Compliance38151222k+Non Singular String Literal Domain
#2927Export to Blogger3847117900Non-prefixed global variable
#2928Export User Data38187626k+Text Domain Mismatch
#2929Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds381678240k+Output is not escaped
#2930Social Photo Fetcher38151431k+Output is not escaped
#2931Social Shop for WooCommerce385124800Output is not escaped
#2932Responsive WordPress Slider – HG Slider3867757k+Missing nonce verification
#2933Foyer – Digital Signage for WordPress381481911k+Non-prefixed global variable
#2934Front-end Editor387862500Output is not escaped
#2935Gecka Submenu38326363k+Output is not escaped
#2936GoodBarber3838731k+Nonce verification recommended
#2937Great Caroussel3860131500SQL query is not prepared
#2938Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration38160821k+Unsafe printing function
#2939HashThemes Demo Importer3871446k+Output is not escaped
#2940CAOS | Host Google Analytics Locally381244410k+Output is not escaped
#2941WP Team – WordPress Team Member Plugin3853736500Text Domain Mismatch
#2942Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs38361062k+Non-prefixed global variable
#2943ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More38208930k+Direct Query
#2944imoje38621602k+Nonce verification recommended
#2945Import to Photo Gallery from NextGen gallery388083400Direct Query
#2946Insert PHP Code Snippet3816422790k+Output is not escaped
#29473D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery383537780k+Non Singular String Literal Domain
#2948JC Submenu38279324k+Output is not escaped
#2949Maintenance Redirect3824413210k+Missing Arg Domain
#2950Jock On Air Now (JOAN)38121224500Output is not escaped