WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2951Jock On Air Now (JOAN)38121224500Output is not escaped
#2952jQuery Pin It Button for Images381293610k+Output is not escaped
#2953Jupiter X Core387176770k+Non-prefixed global variable
#2954Kali Forms — Contact Form & Drag-and-Drop Builder38425210k+Dynamic hook name
#2955Lana Downloads Manager38146783k+Unsafe printing function
#2956Log Deprecated Notices389273900Text Domain Mismatch
#2957LuckyWP Scripts Control38186233k+Output is not escaped
#2958LWS Cleaner388112920k+Direct Query
#2959Magical Posts Display – Elementor Advanced Posts widgets38115463k+Output is not escaped
#2960MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites383136700k+Non-prefixed hook name
#2961Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin3824573k+Input is not sanitized
#2962Mega Elements – Addons for Elementor381705710k+Output is not escaped
#2963Auto SEO META keywords (META tags keywords) optimization + WooCommerce386334700Output is not escaped
#2964MimeTypes Link Icons3853348k+Output is not escaped
#2965Group chat for WordPress – Minnit Chat383965500Non-prefixed global variable
#2966MisterPlan – Booking Engines3873138700Nonce verification recommended
#2967Monetag Official Plugin38133325k+Text Domain Mismatch
#2968Most And Least Read Posts Widget38130241k+Output is not escaped
#2969MultiLine Files for Contact Form 73898409k+Text Domain Mismatch
#2970Multiple Domain Mapping on Single Site38135516k+Text Domain Mismatch
#2971MX Time Zone Clocks38219411k+Output is not escaped
#2972Customize My Account for WooCommerce – Custom Tabs, Login, Registration, 2FA & Design3878172800Non-prefixed global variable
#2973Name Directory385203092k+Output is not escaped
#2974Contact Form Widget38541071k+Request data is not unslashed
#2975Note – A live edit text widget38118491k+Output is not escaped
#2976One Click Demo Import3822841m+Non-prefixed global variable
#2977One Click Order Re-Order38139631k+Non Singular String Literal Domain
#2978OneSignal – Web Push Notifications38536470k+Output is not escaped
#2979Open Graphite383802043k+Unsafe printing function
#2980Ozh' Better Feed384535600Heredoc Output Not Escaped
#2981Page Links To383140100k+Unsafe printing function
#2982YAPE A1 Tiendas382443900Missing nonce verification
#2983PayTR Taksit Tablosu – WooCommerce3867393k+Non Singular String Literal Domain
#2984PDF Catalog for WooCommerce3830461k+Nonce verification recommended
#2985Podlove Subscribe button38148452k+Output is not escaped
#2986PopCash Code Integration Tool3877109400Nonce verification recommended
#2987Popular Widget386130700Unsafe printing function
#2988PostLinks3810710700Output is not escaped
#2989qTranslate META388826400Output is not escaped
#2990qTranslate X Cleanup and WPML Import38167102800Text Domain Mismatch
#2991Quick Download Button38341232k+Non-prefixed global variable
#2992RDP Wiki Embed386926400Output is not escaped
#2993Remove WordPress Overhead3864471k+Text Domain Mismatch
#2994Logo Carousel – Display Brand or Client Logos in Slider3852442800Output is not escaped
#2995Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform38120107500Output is not escaped
#2996WP REST API – OAuth 1.0a Server38100858k+Text Domain Mismatch
#2997Restrict Widgets38135404k+Non Singular String Literal Domain
#2998Like This3860171k+Output is not escaped
#2999RSS Feed Widget38207892k+Unsafe printing function
#3000Invoice1233813988400Text Domain Mismatch