WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3101 | Advanced Product Fields (Product Addons) for WooCommerce | 39 | 145 | 145 | 50k+ | Output is not escaped | ||
| #3102 | Advanced Spoiler | 39 | 106 | 19 | 600 | Non Singular String Literal Domain | ||
| #3103 | Advanced Woo Labels – Product Labels & Badges for WooCommerce | 39 | 171 | 125 | 10k+ | Output is not escaped | ||
| #3104 | Affiliate Links – Link Cloaking and Management | 39 | 23 | 113 | 3k+ | Non-prefixed global variable | ||
| #3105 | AffiliatePages – Pros & Cons, Notice, and CTA Blocks for Affiliates | 39 | 91 | 53 | 2k+ | Output is not escaped | ||
| #3106 | AffiliateWP – Affiliate Area Tabs | 39 | 86 | 26 | 3k+ | Output is not escaped | ||
| #3107 | Load More Anything | 39 | 38 | 73 | 5k+ | Output is not escaped | ||
| #3108 | Accessibility by AllAccessible | 39 | 200 | 82 | 2k+ | Unsafe printing function | ||
| #3109 | Andreani WooCommerce | 39 | 21 | 86 | 800 | Non-prefixed global variable | ||
| #3110 | Anything Order by Terms | 39 | 48 | 93 | 1k+ | Direct Query | ||
| #3111 | Ads.txt & App-ads.txt Manager for WordPress | 39 | 97 | 23 | 2k+ | Output is not escaped | ||
| #3112 | Archive Control | 39 | 151 | 67 | 1k+ | Unsafe printing function | ||
| #3113 | AWEOS WP Lock | 39 | 24 | 53 | 400 | Output is not escaped | ||
| #3114 | Timeline – Vertical and Horizontal Timeline Layouts | 39 | 500 | 43 | 2k+ | Output is not escaped | ||
| #3115 | Header Footer for Beaver Builder | 39 | 39 | 31 | 10k+ | Output is not escaped | ||
| #3116 | bbPress Voting | 39 | 27 | 53 | 500 | Output is not escaped | ||
| #3117 | bbPress Moderation | 39 | 75 | 15 | 500 | Non Singular String Literal Domain | ||
| #3118 | Benchmark Email Lite | 39 | 86 | 23 | 1k+ | Output is not escaped | ||
| #3119 | Better Random Redirect | 39 | 88 | 40 | 700 | Text Domain Mismatch | ||
| #3120 | Better User Search | 39 | 24 | 44 | 700 | SQL query is not prepared | ||
| #3121 | Billplz for WooCommerce | 39 | 289 | 65 | 6k+ | Text Domain Mismatch | ||
| #3122 | Birds Custom Login | 39 | 196 | 23 | 4k+ | Non Singular String Literal Domain | ||
| #3123 | Blackhole for Bad Bots | 39 | 123 | 69 | 30k+ | Output is not escaped | ||
| #3124 | Block Editor Bootstrap Blocks | 39 | 173 | 50 | 900 | Text Domain Mismatch | ||
| #3125 | Blogger Importer Extended | 39 | 55 | 45 | 4k+ | Output is not escaped | ||
| #3126 | Bogo | 39 | 30 | 139 | 10k+ | Request data is not unslashed | ||
| #3127 | BOX NOW Delivery Croatia | 39 | 64 | 99 | 800 | Missing nonce verification | ||
| #3128 | BuddyPress Default Cover Photo | 39 | 62 | 39 | 500 | Output is not escaped | ||
| #3129 | BugSnag Error Monitoring plugin | 39 | 52 | 96 | 2k+ | wp function not compatible with requires wp | ||
| #3130 | Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) | 39 | 16 | 47 | 10k+ | Request data is not unslashed | ||
| #3131 | Bulk NoIndex & NoFollow Toolkit | 39 | 72 | 172 | 2k+ | Nonce verification recommended | ||
| #3132 | Better WordPress External Links | 39 | 130 | 35 | 400 | Non Singular String Literal Domain | ||
| #3133 | Cache Images | 39 | 72 | 27 | 1k+ | Unsafe printing function | ||
| #3134 | Calculator Builder – Create an Online Calculator | 39 | 16 | 221 | 1k+ | Non-prefixed global variable | ||
| #3135 | Saitama Addon Pack | 39 | 152 | 27 | 1k+ | Output is not escaped | ||
| #3136 | Innozilla Skins for Contact Form 7 | 39 | 152 | 22 | 2k+ | Output is not escaped | ||
| #3137 | Configurable Tag Cloud (CTC) | 39 | 126 | 121 | 2k+ | Output is not escaped | ||
| #3138 | Constant Contact + WooCommerce | 39 | 27 | 91 | 1k+ | Nonce verification recommended | ||
| #3139 | Contact Form 7 – Dynamic Text Extension | 39 | 103 | 28 | 100k+ | Output is not escaped | ||
| #3140 | Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR) | 39 | 28 | 45 | 80k+ | Missing nonce verification | ||
| #3141 | Content Visibility for Divi Builder | 39 | 184 | 59 | 2k+ | Non Singular String Literal Domain | ||
| #3142 | Cookies for Comments | 39 | 22 | 29 | 20k+ | Input is not validated | ||
| #3143 | Country & Phone Field Contact Form 7 | 39 | 117 | 34 | 40k+ | Text Domain Mismatch | ||
| #3144 | Culqi | 39 | 571 | 88 | 1k+ | Text Domain Mismatch | ||
| #3145 | Custom Metadata Manager | 39 | 81 | 20 | 700 | Output is not escaped | ||
| #3146 | Custom Post Order | 39 | 14 | 32 | 400 | Input is not sanitized | ||
| #3147 | Custom Post Type Auto Menu | 39 | 54 | 33 | 500 | Text Domain Mismatch | ||
| #3148 | Custom Related Posts | 39 | 131 | 34 | 3k+ | Output is not escaped | ||
| #3149 | Custom Thank You for WooCommerce | 39 | 107 | 57 | 400 | Output is not escaped | ||
| #3150 | Da Reactions | 39 | 15 | 140 | 400 | Request data is not unslashed |