WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3051 | FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube | 38 | 358 | 34 | 1k+ | Text Domain Mismatch | ||
| #3052 | Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend | 38 | 84 | 49 | 1k+ | Output is not escaped | ||
| #3053 | TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys | 38 | 71 | 49 | 900 | Output is not escaped | ||
| #3054 | Visual Admin Customizer | 38 | 20 | 51 | 500 | Input is not sanitized | ||
| #3055 | W2S – Migrate WooCommerce to Shopify | 38 | 33 | 132 | 1k+ | Non-prefixed global variable | ||
| #3056 | Chatbox Manager | 38 | 855 | 78 | 400 | Output is not escaped | ||
| #3057 | WC-AC Hook | 38 | 44 | 72 | 1k+ | Missing nonce verification | ||
| #3058 | Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy | 38 | 94 | 26 | 900 | Non Singular String Literal Domain | ||
| #3059 | SSLCommerz Payment Gateway | 38 | 21 | 132 | 2k+ | Non-prefixed global variable | ||
| #3060 | Affiliate Sales in Google Analytics and other tools | 38 | 23 | 84 | 1k+ | Request data is not unslashed | ||
| #3061 | WholesaleX – B2B & Wholesale Plugin for WooCommerce with Wholesale Prices | 38 | 33 | 181 | 2k+ | Non-prefixed global variable | ||
| #3062 | WishSuite – Wishlist for WooCommerce | 38 | 76 | 133 | 1k+ | Output is not escaped | ||
| #3063 | Products Coming Soon for WooCommerce | 38 | 151 | 62 | 700 | Output is not escaped | ||
| #3064 | Photo Reviews for WooCommerce | 38 | 26 | 222 | 10k+ | Request data is not unslashed | ||
| #3065 | Show Stock Status for WooCommerce | 38 | 30 | 19 | 1k+ | Output is not escaped | ||
| #3066 | Vietnam Checkout for WooCommerce | 38 | 93 | 137 | 10k+ | Nonce verification recommended | ||
| #3067 | Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance | 38 | 23 | 104 | 1k+ | Direct Query | ||
| #3068 | WP 404 Auto Redirect to Similar Post | 38 | 166 | 48 | 30k+ | Text Domain Mismatch | ||
| #3069 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | Missing direct file access protection | ||
| #3070 | WP-Ban | 38 | 99 | 108 | 8k+ | Unsafe printing function | ||
| #3071 | WP-CommentNavi | 38 | 68 | 46 | 700 | Output is not escaped | ||
| #3072 | WP Content Copy Protection with Color Design | 38 | 96 | 61 | 5k+ | Non Singular String Literal Domain | ||
| #3073 | WP Discord Post Plus – Supports Unlimited Channels | 38 | 116 | 34 | 700 | Text Domain Mismatch | ||
| #3074 | WP-DraftsForFriends | 38 | 141 | 71 | 1k+ | Output is not escaped | ||
| #3075 | WP Mail SMTP SendGrid Edition | 38 | 102 | 19 | 500 | Text Domain Mismatch | ||
| #3076 | WP Mailgun SMTP | 38 | 99 | 51 | 900 | Text Domain Mismatch | ||
| #3077 | WP Maintenance Mode & Site Under Construction | 38 | 72 | 57 | 3k+ | Output is not escaped | ||
| #3078 | WP Media Categories | 38 | 40 | 103 | 800 | Nonce verification recommended | ||
| #3079 | Native PHP Sessions | 38 | 30 | 92 | 10k+ | Direct Query | ||
| #3080 | Real-Time Post Statistics for WordPress | 38 | 63 | 68 | 1k+ | SQL query is not prepared | ||
| #3081 | WP Redirects – Contact Form 7 | 38 | 50 | 71 | 400 | Unsafe printing function | ||
| #3082 | WP Safe Mode | 38 | 95 | 55 | 2k+ | Output is not escaped | ||
| #3083 | WP-ServerInfo | 38 | 162 | 55 | 10k+ | Output is not escaped | ||
| #3084 | External Store for Shopify | 38 | 97 | 33 | 2k+ | Output is not escaped | ||
| #3085 | WP Video Lightbox | 38 | 107 | 67 | 30k+ | Unsafe printing function | ||
| #3086 | WPC Product Options for WooCommerce | 38 | 57 | 182 | 4k+ | Non-prefixed global variable | ||
| #3087 | Responsive Vertical Icon Menu | 38 | 188 | 85 | 700 | Output is not escaped | ||
| #3088 | mb.YTPlayer for background videos | 38 | 80 | 29 | 1k+ | Unsafe printing function | ||
| #3089 | WPTurbo -WordPress性能优化插件 | 38 | 20 | 34 | 700 | Output is not escaped | ||
| #3090 | Weather Underground | 38 | 64 | 27 | 3k+ | Output is not escaped | ||
| #3091 | YouTube widget | 38 | 39 | 25 | 400 | Output is not escaped | ||
| #3092 | ZeroBounce Email Verification & Validation | 38 | 299 | 162 | 900 | Text Domain Mismatch | ||
| #3093 | Zoho Campaigns | 38 | 3 | 129 | 3k+ | Non-prefixed global variable | ||
| #3094 | Smart Custom 404 Error Page | 39 | 90 | 44 | 100k+ | Output is not escaped | ||
| #3095 | Accounting for WooCommerce | 39 | 87 | 115 | 500 | Unsafe printing function | ||
| #3096 | ACF: Google Font Selector | 39 | 57 | 45 | 3k+ | Output is not escaped | ||
| #3097 | Add-on Gravity Forms – MailPoet 3 | 39 | 31 | 33 | 600 | Output is not escaped | ||
| #3098 | Add Tiktok Pixel for Tiktok ads (+Woocommerce) | 39 | 94 | 25 | 2k+ | Output is not escaped | ||
| #3099 | Additional Order Filters for WooCommerce | 39 | 79 | 255 | 2k+ | Nonce verification recommended | ||
| #3100 | Admin Custom Font | 39 | 34 | 25 | 1k+ | Unsafe printing function |