WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3051FancyTube – Video Gallery, Video Slider, and Playlist Slider for YouTube38358341k+Text Domain Mismatch
#3052Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend3884491k+Output is not escaped
#3053TWIPLA (Visitor Analytics IO) – Privacy-First Website Stats, Session Recordings, Heatmaps, Polls and Surveys387149900Output is not escaped
#3054Visual Admin Customizer382051500Input is not sanitized
#3055W2S – Migrate WooCommerce to Shopify38331321k+Non-prefixed global variable
#3056Chatbox Manager3885578400Output is not escaped
#3057WC-AC Hook3844721k+Missing nonce verification
#3058Shipping Packages for WooCommerce – Dropship from multiple locations like AliExpress, eBay, Amazon, Etsy389426900Non Singular String Literal Domain
#3059SSLCommerz Payment Gateway38211322k+Non-prefixed global variable
#3060Affiliate Sales in Google Analytics and other tools3823841k+Request data is not unslashed
#3061WholesaleX – B2B & Wholesale Plugin for WooCommerce with Wholesale Prices38331812k+Non-prefixed global variable
#3062WishSuite – Wishlist for WooCommerce38761331k+Output is not escaped
#3063Products Coming Soon for WooCommerce3815162700Output is not escaped
#3064Photo Reviews for WooCommerce382622210k+Request data is not unslashed
#3065Show Stock Status for WooCommerce3830191k+Output is not escaped
#3066Vietnam Checkout for WooCommerce389313710k+Nonce verification recommended
#3067Connect WooCommerce Shop to ERP/CRM, Verifactu and EU/VAT Compliance38231041k+Direct Query
#3068WP 404 Auto Redirect to Similar Post381664830k+Text Domain Mismatch
#3069WP Accessibility Helper (WAH)38618810k+Missing direct file access protection
#3070WP-Ban38991088k+Unsafe printing function
#3071WP-CommentNavi386846700Output is not escaped
#3072WP Content Copy Protection with Color Design3896615k+Non Singular String Literal Domain
#3073WP Discord Post Plus – Supports Unlimited Channels3811634700Text Domain Mismatch
#3074WP-DraftsForFriends38141711k+Output is not escaped
#3075WP Mail SMTP SendGrid Edition3810219500Text Domain Mismatch
#3076WP Mailgun SMTP389951900Text Domain Mismatch
#3077WP Maintenance Mode & Site Under Construction3872573k+Output is not escaped
#3078WP Media Categories3840103800Nonce verification recommended
#3079Native PHP Sessions38309210k+Direct Query
#3080Real-Time Post Statistics for WordPress3863681k+SQL query is not prepared
#3081WP Redirects – Contact Form 7385071400Unsafe printing function
#3082WP Safe Mode3895552k+Output is not escaped
#3083WP-ServerInfo381625510k+Output is not escaped
#3084External Store for Shopify3897332k+Output is not escaped
#3085WP Video Lightbox381076730k+Unsafe printing function
#3086WPC Product Options for WooCommerce38571824k+Non-prefixed global variable
#3087Responsive Vertical Icon Menu3818885700Output is not escaped
#3088mb.YTPlayer for background videos3880291k+Unsafe printing function
#3089WPTurbo -WordPress性能优化插件382034700Output is not escaped
#3090Weather Underground3864273k+Output is not escaped
#3091YouTube widget383925400Output is not escaped
#3092ZeroBounce Email Verification & Validation38299162900Text Domain Mismatch
#3093Zoho Campaigns3831293k+Non-prefixed global variable
#3094Smart Custom 404 Error Page399044100k+Output is not escaped
#3095Accounting for WooCommerce3987115500Unsafe printing function
#3096ACF: Google Font Selector3957453k+Output is not escaped
#3097Add-on Gravity Forms – MailPoet 3393133600Output is not escaped
#3098Add Tiktok Pixel for Tiktok ads (+Woocommerce)3994252k+Output is not escaped
#3099Additional Order Filters for WooCommerce39792552k+Nonce verification recommended
#3100Admin Custom Font3934251k+Unsafe printing function