WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2901 | Classic Editor Plus – WordPress Classic Editor plugin by Felix | 38 | 83 | 42 | 500 | Text Domain Mismatch | ||
| #2902 | Clever Mega Menu for Visual Composer | 38 | 500 | 87 | 1k+ | Output is not escaped | ||
| #2903 | Clever Mega Menu for Elementor | 38 | 835 | 44 | 1k+ | Output is not escaped | ||
| #2904 | Chatbot for WordPress by Collect.chat ⚡️ | 38 | 58 | 36 | 6k+ | Unsafe printing function | ||
| #2905 | country-redirect | 38 | 58 | 19 | 400 | Text Domain Mismatch | ||
| #2906 | Crop-Thumbnails | 38 | 33 | 27 | 40k+ | Missing direct file access protection | ||
| #2907 | CRUDLab Disable Comments | 38 | 20 | 54 | 700 | Missing nonce verification | ||
| #2908 | One page checkout and layouts for woocommerce | 38 | 83 | 52 | 3k+ | Non-prefixed global variable | ||
| #2909 | Custom Menu Wizard Widget | 38 | 326 | 30 | 2k+ | Output is not escaped | ||
| #2910 | WP Page Templates | 38 | 92 | 28 | 400 | Non Singular String Literal Domain | ||
| #2911 | Custom post type templates for Elementor | 38 | 289 | 33 | 700 | Text Domain Mismatch | ||
| #2912 | Customize Posts | 38 | 31 | 77 | 1k+ | Non-prefixed hook name | ||
| #2913 | Login Page Customizer – Customize Login Screen & Branding | 38 | 36 | 172 | 1k+ | Non-prefixed function | ||
| #2914 | Darkify – Dark Mode & Night Mode for Website & Admin (Dark Theme Included) | 38 | 38 | 183 | 600 | Non-prefixed global variable | ||
| #2915 | Datafeedr Comparison Sets | 38 | 450 | 53 | 3k+ | Output is not escaped | ||
| #2916 | Availability Datepicker – Booking Calendar for Contact Form 7 – Input WP | 38 | 344 | 30 | 20k+ | Text Domain Mismatch | ||
| #2917 | Decent Comments | 38 | 93 | 28 | 2k+ | Output is not escaped | ||
| #2918 | Responsive Pricing Table | 38 | 309 | 105 | 10k+ | Non Singular String Literal Domain | ||
| #2919 | Product Badge, Label, Countdown Timer for WooCommerce – Sale Booster | 38 | 37 | 102 | 5k+ | Interpolated SQL is not prepared | ||
| #2920 | Easy WP Cleaner | 38 | 58 | 124 | 2k+ | Non-prefixed global variable | ||
| #2921 | Easy Yandex Metrica | 38 | 97 | 48 | 900 | Output is not escaped | ||
| #2922 | Elemailer Lite – Elementor email template & campaign builder | 38 | 44 | 50 | 5k+ | Output is not escaped | ||
| #2923 | Email Encoder – Protect Email Addresses and Phone Numbers | 38 | 9 | 150 | 90k+ | Non-prefixed global variable | ||
| #2924 | PiWeb Product Enquiry or product catalog for WooCommerce | 38 | 255 | 145 | 1k+ | Text Domain Mismatch | ||
| #2925 | Erident Custom Login and Dashboard | 38 | 122 | 28 | 8k+ | Unsafe printing function | ||
| #2926 | EU Cookie Law Compliance | 38 | 151 | 22 | 2k+ | Non Singular String Literal Domain | ||
| #2927 | Export to Blogger | 38 | 47 | 117 | 900 | Non-prefixed global variable | ||
| #2928 | Export User Data | 38 | 187 | 62 | 6k+ | Text Domain Mismatch | ||
| #2929 | Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds | 38 | 167 | 82 | 40k+ | Output is not escaped | ||
| #2930 | Social Photo Fetcher | 38 | 151 | 43 | 1k+ | Output is not escaped | ||
| #2931 | Social Shop for WooCommerce | 38 | 51 | 24 | 800 | Output is not escaped | ||
| #2932 | Responsive WordPress Slider – HG Slider | 38 | 67 | 75 | 7k+ | Missing nonce verification | ||
| #2933 | Foyer – Digital Signage for WordPress | 38 | 148 | 191 | 1k+ | Non-prefixed global variable | ||
| #2934 | Front-end Editor | 38 | 78 | 62 | 500 | Output is not escaped | ||
| #2935 | Gecka Submenu | 38 | 326 | 36 | 3k+ | Output is not escaped | ||
| #2936 | GoodBarber | 38 | 38 | 73 | 1k+ | Nonce verification recommended | ||
| #2937 | Great Caroussel | 38 | 60 | 131 | 500 | SQL query is not prepared | ||
| #2938 | Greek Multi Tool – Greeklish Slugs, Permalinks & Transliteration | 38 | 160 | 82 | 1k+ | Unsafe printing function | ||
| #2939 | HashThemes Demo Importer | 38 | 71 | 44 | 6k+ | Output is not escaped | ||
| #2940 | CAOS | Host Google Analytics Locally | 38 | 124 | 44 | 10k+ | Output is not escaped | ||
| #2941 | WP Team – WordPress Team Member Plugin | 38 | 537 | 36 | 500 | Text Domain Mismatch | ||
| #2942 | Icegram Mailer – Reliable Email Deliverability, No-code SMTP Replacement & Email logs | 38 | 36 | 106 | 2k+ | Non-prefixed global variable | ||
| #2943 | ThumbPress – Compress Images, Manage Thumbnails, Detect Image Issues, WebP/AVIF, Lazy Loading, Hotlinking & More | 38 | 20 | 89 | 30k+ | Direct Query | ||
| #2944 | imoje | 38 | 62 | 160 | 2k+ | Nonce verification recommended | ||
| #2945 | Import to Photo Gallery from NextGen gallery | 38 | 80 | 83 | 400 | Direct Query | ||
| #2946 | Insert PHP Code Snippet | 38 | 164 | 227 | 90k+ | Output is not escaped | ||
| #2947 | 3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery | 38 | 353 | 77 | 80k+ | Non Singular String Literal Domain | ||
| #2948 | JC Submenu | 38 | 279 | 32 | 4k+ | Output is not escaped | ||
| #2949 | Maintenance Redirect | 38 | 244 | 132 | 10k+ | Missing Arg Domain | ||
| #2950 | Jock On Air Now (JOAN) | 38 | 121 | 224 | 500 | Output is not escaped |