WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3101Advanced Product Fields (Product Addons) for WooCommerce3914514550k+Output is not escaped
#3102Advanced Spoiler3910619600Non Singular String Literal Domain
#3103Advanced Woo Labels – Product Labels & Badges for WooCommerce3917112510k+Output is not escaped
#3104Affiliate Links – Link Cloaking and Management39231133k+Non-prefixed global variable
#3105AffiliatePages – Pros & Cons, Notice, and CTA Blocks for Affiliates3991532k+Output is not escaped
#3106AffiliateWP – Affiliate Area Tabs3986263k+Output is not escaped
#3107Load More Anything3938735k+Output is not escaped
#3108Accessibility by AllAccessible39200822k+Unsafe printing function
#3109Andreani WooCommerce392186800Non-prefixed global variable
#3110Anything Order by Terms3948931k+Direct Query
#3111Ads.txt & App-ads.txt Manager for WordPress3997232k+Output is not escaped
#3112Archive Control39151671k+Unsafe printing function
#3113AWEOS WP Lock392453400Output is not escaped
#3114Timeline – Vertical and Horizontal Timeline Layouts39500432k+Output is not escaped
#3115Header Footer for Beaver Builder39393110k+Output is not escaped
#3116bbPress Voting392753500Output is not escaped
#3117bbPress Moderation397515500Non Singular String Literal Domain
#3118Benchmark Email Lite3986231k+Output is not escaped
#3119Better Random Redirect398840700Text Domain Mismatch
#3120Better User Search392444700SQL query is not prepared
#3121Billplz for WooCommerce39289656k+Text Domain Mismatch
#3122Birds Custom Login39196234k+Non Singular String Literal Domain
#3123Blackhole for Bad Bots391236930k+Output is not escaped
#3124Block Editor Bootstrap Blocks3917350900Text Domain Mismatch
#3125Blogger Importer Extended3955454k+Output is not escaped
#3126Bogo393013910k+Request data is not unslashed
#3127BOX NOW Delivery Croatia396499800Missing nonce verification
#3128BuddyPress Default Cover Photo396239500Output is not escaped
#3129BugSnag Error Monitoring plugin3952962k+wp function not compatible with requires wp
#3130Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)39164710k+Request data is not unslashed
#3131Bulk NoIndex & NoFollow Toolkit39721722k+Nonce verification recommended
#3132Better WordPress External Links3913035400Non Singular String Literal Domain
#3133Cache Images3972271k+Unsafe printing function
#3134Calculator Builder – Create an Online Calculator39162211k+Non-prefixed global variable
#3135Saitama Addon Pack39152271k+Output is not escaped
#3136Innozilla Skins for Contact Form 739152222k+Output is not escaped
#3137Configurable Tag Cloud (CTC)391261212k+Output is not escaped
#3138Constant Contact + WooCommerce3927911k+Nonce verification recommended
#3139Contact Form 7 – Dynamic Text Extension3910328100k+Output is not escaped
#3140Image CAPTCHA for Contact Form 7 and WPForms by HookAndHook (DSGVO/GDPR)39284580k+Missing nonce verification
#3141Content Visibility for Divi Builder39184592k+Non Singular String Literal Domain
#3142Cookies for Comments39222920k+Input is not validated
#3143Country & Phone Field Contact Form 7391173440k+Text Domain Mismatch
#3144Culqi39571881k+Text Domain Mismatch
#3145Custom Metadata Manager398120700Output is not escaped
#3146Custom Post Order391432400Input is not sanitized
#3147Custom Post Type Auto Menu395433500Text Domain Mismatch
#3148Custom Related Posts39131343k+Output is not escaped
#3149Custom Thank You for WooCommerce3910757400Output is not escaped
#3150Da Reactions3915140400Request data is not unslashed