WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3001Schema App Structured Data3835867k+Nonce verification recommended
#3002Author Image3851331k+Output is not escaped
#3003LinkBoss – Semantic AI Internal Linking3828572k+Missing Arg Domain
#3004ShiftNav – Responsive Mobile Menu382493510k+Text Domain Mismatch
#3005Shutter Reloaded38194951k+Text Domain Mismatch
#3006Simple Expires383239500Non Singular String Literal Domain
#3007Simple JWT Login – Allows you to use JWT on REST endpoints.38712954k+Output is not escaped
#3008Simple Keyword to Link3890493k+Non Singular String Literal Domain
#3009Simple LDAP Login3865331k+Output is not escaped
#3010Simple Visitor Counter384127700Output is not escaped
#3011SimpleShop3852511k+date date
#3012Slickstream: Engagement and Conversions38100192k+Output is not escaped
#3013Slickplan Importer384058400Non-prefixed global variable
#3014Smart Cookie Kit38263813k+Output is not escaped
#3015Smart Maintenance Mode381371281k+Output is not escaped
#3016Social Icons38728310k+Output is not escaped
#3017Social Snap — Social Share Buttons & Click to Tweet38616910k+Direct Query
#3018SOGO Accessibility38147405k+Non Singular String Literal Domain
#3019SRS Simple Hits Counter3843988k+Output is not escaped
#3020Standout CSS3 Buttons3818315500Output is not escaped
#3021Stock Market News387111500Output is not escaped
#3022Stock Market Overview3886141k+Output is not escaped
#3023Stock Market Ticker3869143k+Output is not escaped
#3024Stock Quotes List387213600Output is not escaped
#3025Subscriptions & Memberships for PayPal3873237900Request data is not unslashed
#3026Super Simple Slider3855551k+Non-prefixed global variable
#3027Swiper Js Slider3812535400Output is not escaped
#3028Tag Manager – Header, Body And Footer389731920k+Non-prefixed global variable
#3029Logo Slider , Logo Carousel , Logo showcase , Client Logo3872221k+Output is not escaped
#3030Templatiq383194900Non-prefixed hook name
#3031Product Compare for WooCommerce38551913k+Non-prefixed global variable
#3032Variation Swatches for WooCommerce3845652k+Output is not escaped
#3033Theme Blvd Widget Pack38240171k+Output is not escaped
#3034Broadcast38211071k+Direct Query
#3035Accessibility Tools & Alt Text Finder3836563k+Text Domain Mismatch
#3036TopList.cz381387400Output is not escaped
#3037Trackserver3817356400Input is not sanitized
#3038Plugin Name: Traffic Stats Widget Plugin3869107600Output is not escaped
#3039Trash Duplicate and 301 Redirect38131031k+Nonce verification recommended
#3040TRUENDO | GDPR Compliant Cookie Manager389838600Output is not escaped
#3041Sidebar Login Widget389016700Output is not escaped
#3042Twenty Eleven Theme Extensions3835303k+Output is not escaped
#3043Twiget Twitter Widget3814736500Output is not escaped
#3044Twitter for WordPress3847241k+Output is not escaped
#3045TypePad emoji for TinyMCE38100248k+Text Domain Mismatch
#3046Termly – GDPR/CCPA Cookie Consent Banner38549280k+Non-prefixed global variable
#3047Ultimate Member Widgets for Elementor – Login Form, Register Form & User Directory3817110400Non-prefixed namespace
#3048Unconfirmed3820791k+Nonce verification recommended
#3049User Specific Content38143191k+Text Domain Mismatch
#3050VdoCipher: Secure Video Player and Hosting3837542k+Non-prefixed function