WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2951 | Jock On Air Now (JOAN) | 38 | 121 | 224 | 500 | Output is not escaped | ||
| #2952 | jQuery Pin It Button for Images | 38 | 129 | 36 | 10k+ | Output is not escaped | ||
| #2953 | Jupiter X Core | 38 | 71 | 767 | 70k+ | Non-prefixed global variable | ||
| #2954 | Kali Forms — Contact Form & Drag-and-Drop Builder | 38 | 4 | 252 | 10k+ | Dynamic hook name | ||
| #2955 | Lana Downloads Manager | 38 | 146 | 78 | 3k+ | Unsafe printing function | ||
| #2956 | Log Deprecated Notices | 38 | 92 | 73 | 900 | Text Domain Mismatch | ||
| #2957 | LuckyWP Scripts Control | 38 | 186 | 23 | 3k+ | Output is not escaped | ||
| #2958 | LWS Cleaner | 38 | 81 | 129 | 20k+ | Direct Query | ||
| #2959 | Magical Posts Display – Elementor Advanced Posts widgets | 38 | 115 | 46 | 3k+ | Output is not escaped | ||
| #2960 | MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites | 38 | 3 | 136 | 700k+ | Non-prefixed hook name | ||
| #2961 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 38 | 2 | 457 | 3k+ | Input is not sanitized | ||
| #2962 | Mega Elements – Addons for Elementor | 38 | 170 | 57 | 10k+ | Output is not escaped | ||
| #2963 | Auto SEO META keywords (META tags keywords) optimization + WooCommerce | 38 | 63 | 34 | 700 | Output is not escaped | ||
| #2964 | MimeTypes Link Icons | 38 | 53 | 34 | 8k+ | Output is not escaped | ||
| #2965 | Group chat for WordPress – Minnit Chat | 38 | 39 | 65 | 500 | Non-prefixed global variable | ||
| #2966 | MisterPlan – Booking Engines | 38 | 73 | 138 | 700 | Nonce verification recommended | ||
| #2967 | Monetag Official Plugin | 38 | 133 | 32 | 5k+ | Text Domain Mismatch | ||
| #2968 | Most And Least Read Posts Widget | 38 | 130 | 24 | 1k+ | Output is not escaped | ||
| #2969 | MultiLine Files for Contact Form 7 | 38 | 98 | 40 | 9k+ | Text Domain Mismatch | ||
| #2970 | Multiple Domain Mapping on Single Site | 38 | 135 | 51 | 6k+ | Text Domain Mismatch | ||
| #2971 | MX Time Zone Clocks | 38 | 219 | 41 | 1k+ | Output is not escaped | ||
| #2972 | Customize My Account for WooCommerce – Custom Tabs, Login, Registration, 2FA & Design | 38 | 78 | 172 | 800 | Non-prefixed global variable | ||
| #2973 | Name Directory | 38 | 520 | 309 | 2k+ | Output is not escaped | ||
| #2974 | Contact Form Widget | 38 | 54 | 107 | 1k+ | Request data is not unslashed | ||
| #2975 | Note – A live edit text widget | 38 | 118 | 49 | 1k+ | Output is not escaped | ||
| #2976 | One Click Demo Import | 38 | 22 | 84 | 1m+ | Non-prefixed global variable | ||
| #2977 | One Click Order Re-Order | 38 | 139 | 63 | 1k+ | Non Singular String Literal Domain | ||
| #2978 | OneSignal – Web Push Notifications | 38 | 53 | 64 | 70k+ | Output is not escaped | ||
| #2979 | Open Graphite | 38 | 380 | 204 | 3k+ | Unsafe printing function | ||
| #2980 | Ozh' Better Feed | 38 | 45 | 35 | 600 | Heredoc Output Not Escaped | ||
| #2981 | Page Links To | 38 | 31 | 40 | 100k+ | Unsafe printing function | ||
| #2982 | YAPE A1 Tiendas | 38 | 24 | 43 | 900 | Missing nonce verification | ||
| #2983 | PayTR Taksit Tablosu – WooCommerce | 38 | 67 | 39 | 3k+ | Non Singular String Literal Domain | ||
| #2984 | PDF Catalog for WooCommerce | 38 | 30 | 46 | 1k+ | Nonce verification recommended | ||
| #2985 | Podlove Subscribe button | 38 | 148 | 45 | 2k+ | Output is not escaped | ||
| #2986 | PopCash Code Integration Tool | 38 | 77 | 109 | 400 | Nonce verification recommended | ||
| #2987 | Popular Widget | 38 | 61 | 30 | 700 | Unsafe printing function | ||
| #2988 | PostLinks | 38 | 107 | 10 | 700 | Output is not escaped | ||
| #2989 | qTranslate META | 38 | 88 | 26 | 400 | Output is not escaped | ||
| #2990 | qTranslate X Cleanup and WPML Import | 38 | 167 | 102 | 800 | Text Domain Mismatch | ||
| #2991 | Quick Download Button | 38 | 34 | 123 | 2k+ | Non-prefixed global variable | ||
| #2992 | RDP Wiki Embed | 38 | 69 | 26 | 400 | Output is not escaped | ||
| #2993 | Remove WordPress Overhead | 38 | 64 | 47 | 1k+ | Text Domain Mismatch | ||
| #2994 | Logo Carousel – Display Brand or Client Logos in Slider | 38 | 524 | 42 | 800 | Output is not escaped | ||
| #2995 | Responsive Mailform ( Plugin Version ) – easy, responsive, contact, mailform | 38 | 120 | 107 | 500 | Output is not escaped | ||
| #2996 | WP REST API – OAuth 1.0a Server | 38 | 100 | 85 | 8k+ | Text Domain Mismatch | ||
| #2997 | Restrict Widgets | 38 | 135 | 40 | 4k+ | Non Singular String Literal Domain | ||
| #2998 | Like This | 38 | 60 | 17 | 1k+ | Output is not escaped | ||
| #2999 | RSS Feed Widget | 38 | 207 | 89 | 2k+ | Unsafe printing function | ||
| #3000 | Invoice123 | 38 | 139 | 88 | 400 | Text Domain Mismatch |