WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3001 | Schema App Structured Data | 38 | 35 | 86 | 7k+ | Nonce verification recommended | ||
| #3002 | Author Image | 38 | 51 | 33 | 1k+ | Output is not escaped | ||
| #3003 | LinkBoss – Semantic AI Internal Linking | 38 | 28 | 57 | 2k+ | Missing Arg Domain | ||
| #3004 | ShiftNav – Responsive Mobile Menu | 38 | 249 | 35 | 10k+ | Text Domain Mismatch | ||
| #3005 | Shutter Reloaded | 38 | 194 | 95 | 1k+ | Text Domain Mismatch | ||
| #3006 | Simple Expires | 38 | 32 | 39 | 500 | Non Singular String Literal Domain | ||
| #3007 | Simple JWT Login – Allows you to use JWT on REST endpoints. | 38 | 712 | 95 | 4k+ | Output is not escaped | ||
| #3008 | Simple Keyword to Link | 38 | 90 | 49 | 3k+ | Non Singular String Literal Domain | ||
| #3009 | Simple LDAP Login | 38 | 65 | 33 | 1k+ | Output is not escaped | ||
| #3010 | Simple Visitor Counter | 38 | 41 | 27 | 700 | Output is not escaped | ||
| #3011 | SimpleShop | 38 | 52 | 51 | 1k+ | date date | ||
| #3012 | Slickstream: Engagement and Conversions | 38 | 100 | 19 | 2k+ | Output is not escaped | ||
| #3013 | Slickplan Importer | 38 | 40 | 58 | 400 | Non-prefixed global variable | ||
| #3014 | Smart Cookie Kit | 38 | 263 | 81 | 3k+ | Output is not escaped | ||
| #3015 | Smart Maintenance Mode | 38 | 137 | 128 | 1k+ | Output is not escaped | ||
| #3016 | Social Icons | 38 | 72 | 83 | 10k+ | Output is not escaped | ||
| #3017 | Social Snap — Social Share Buttons & Click to Tweet | 38 | 6 | 169 | 10k+ | Direct Query | ||
| #3018 | SOGO Accessibility | 38 | 147 | 40 | 5k+ | Non Singular String Literal Domain | ||
| #3019 | SRS Simple Hits Counter | 38 | 43 | 98 | 8k+ | Output is not escaped | ||
| #3020 | Standout CSS3 Buttons | 38 | 183 | 15 | 500 | Output is not escaped | ||
| #3021 | Stock Market News | 38 | 71 | 11 | 500 | Output is not escaped | ||
| #3022 | Stock Market Overview | 38 | 86 | 14 | 1k+ | Output is not escaped | ||
| #3023 | Stock Market Ticker | 38 | 69 | 14 | 3k+ | Output is not escaped | ||
| #3024 | Stock Quotes List | 38 | 72 | 13 | 600 | Output is not escaped | ||
| #3025 | Subscriptions & Memberships for PayPal | 38 | 73 | 237 | 900 | Request data is not unslashed | ||
| #3026 | Super Simple Slider | 38 | 55 | 55 | 1k+ | Non-prefixed global variable | ||
| #3027 | Swiper Js Slider | 38 | 125 | 35 | 400 | Output is not escaped | ||
| #3028 | Tag Manager – Header, Body And Footer | 38 | 97 | 319 | 20k+ | Non-prefixed global variable | ||
| #3029 | Logo Slider , Logo Carousel , Logo showcase , Client Logo | 38 | 72 | 22 | 1k+ | Output is not escaped | ||
| #3030 | Templatiq | 38 | 31 | 94 | 900 | Non-prefixed hook name | ||
| #3031 | Product Compare for WooCommerce | 38 | 55 | 191 | 3k+ | Non-prefixed global variable | ||
| #3032 | Variation Swatches for WooCommerce | 38 | 45 | 65 | 2k+ | Output is not escaped | ||
| #3033 | Theme Blvd Widget Pack | 38 | 240 | 17 | 1k+ | Output is not escaped | ||
| #3034 | Broadcast | 38 | 21 | 107 | 1k+ | Direct Query | ||
| #3035 | Accessibility Tools & Alt Text Finder | 38 | 36 | 56 | 3k+ | Text Domain Mismatch | ||
| #3036 | TopList.cz | 38 | 138 | 7 | 400 | Output is not escaped | ||
| #3037 | Trackserver | 38 | 17 | 356 | 400 | Input is not sanitized | ||
| #3038 | Plugin Name: Traffic Stats Widget Plugin | 38 | 69 | 107 | 600 | Output is not escaped | ||
| #3039 | Trash Duplicate and 301 Redirect | 38 | 13 | 103 | 1k+ | Nonce verification recommended | ||
| #3040 | TRUENDO | GDPR Compliant Cookie Manager | 38 | 98 | 38 | 600 | Output is not escaped | ||
| #3041 | Sidebar Login Widget | 38 | 90 | 16 | 700 | Output is not escaped | ||
| #3042 | Twenty Eleven Theme Extensions | 38 | 35 | 30 | 3k+ | Output is not escaped | ||
| #3043 | Twiget Twitter Widget | 38 | 147 | 36 | 500 | Output is not escaped | ||
| #3044 | Twitter for WordPress | 38 | 47 | 24 | 1k+ | Output is not escaped | ||
| #3045 | TypePad emoji for TinyMCE | 38 | 100 | 24 | 8k+ | Text Domain Mismatch | ||
| #3046 | Termly – GDPR/CCPA Cookie Consent Banner | 38 | 54 | 92 | 80k+ | Non-prefixed global variable | ||
| #3047 | Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory | 38 | 17 | 110 | 400 | Non-prefixed namespace | ||
| #3048 | Unconfirmed | 38 | 20 | 79 | 1k+ | Nonce verification recommended | ||
| #3049 | User Specific Content | 38 | 143 | 19 | 1k+ | Text Domain Mismatch | ||
| #3050 | VdoCipher: Secure Video Player and Hosting | 38 | 37 | 54 | 2k+ | Non-prefixed function |