WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3151 | Dashboard Cleaner | 39 | 40 | 91 | 500 | Missing nonce verification | ||
| #3152 | Datalogics Ecommerce Delivery – Datalogics | 39 | 13 | 115 | 500 | Nonce verification recommended | ||
| #3153 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #3154 | Deliverability – pass DKIM, SPF, DMARC & more | 39 | 21 | 71 | 800 | Nonce verification recommended | ||
| #3155 | WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT) | 39 | 165 | 24 | 700 | Unsafe printing function | ||
| #3156 | Easy PayPal Events & Tickets | 39 | 28 | 550 | 1k+ | Request data is not unslashed | ||
| #3157 | Editor Menu and Widget Access | 39 | 81 | 24 | 7k+ | Output is not escaped | ||
| #3158 | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor | 39 | 73 | 348 | 1m+ | Non-prefixed global variable | ||
| #3159 | Email Marketing by EmailOctopus | 39 | 43 | 62 | 3k+ | Non-prefixed global variable | ||
| #3160 | Events Manager – Zoom Integration | 39 | 141 | 43 | 700 | Output is not escaped | ||
| #3161 | BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress | 39 | 480 | 226 | 4k+ | Text Domain Mismatch | ||
| #3162 | FaniMani.pl | 39 | 103 | 11 | 600 | Output is not escaped | ||
| #3163 | Faster Image Insert | 39 | 94 | 26 | 2k+ | Output is not escaped | ||
| #3164 | Favorites | 39 | 187 | 123 | 10k+ | Unsafe printing function | ||
| #3165 | First Order Discount Woocommerce | 39 | 55 | 30 | 1k+ | Output is not escaped | ||
| #3166 | Fix Duplicates | 39 | 76 | 73 | 800 | Output is not escaped | ||
| #3167 | Flamix: Bitrix24 and WooCommerce Orders integration | 39 | 81 | 31 | 500 | Output is not escaped | ||
| #3168 | Flex Import | 39 | 15 | 132 | 500 | Non-prefixed global variable | ||
| #3169 | Floating Action Button | 39 | 164 | 69 | 1k+ | Unsafe printing function | ||
| #3170 | Genesis Dambuster | 39 | 94 | 67 | 3k+ | Output is not escaped | ||
| #3171 | GF Mollie by Indigo | 39 | 82 | 33 | 900 | Exception output is not escaped | ||
| #3172 | Gift Up Gift Cards for WordPress and WooCommerce | 39 | 94 | 60 | 5k+ | Output is not escaped | ||
| #3173 | GL Import External Images | 39 | 118 | 19 | 800 | wp function not compatible with requires wp | ||
| #3174 | Prisna GWT – Google Website Translator | 39 | 117 | 77 | 8k+ | Text Domain Mismatch | ||
| #3175 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output is not escaped | ||
| #3176 | Graphina – Charts and Graphs For Elementor | 39 | 1,910 | 113 | 10k+ | Text Domain Mismatch | ||
| #3177 | Gravity Slider Fields | 39 | 56 | 36 | 2k+ | Text Domain Mismatch | ||
| #3178 | GS Only PDF Preview | 39 | 46 | 36 | 1k+ | Output is not escaped | ||
| #3179 | Gutenverse News – News Blocks for Blog & Magazine Sites | 39 | 37 | 65 | 800 | Non-prefixed hook name | ||
| #3180 | HD Quiz | 39 | 252 | 82 | 7k+ | Output is not escaped | ||
| #3181 | Hide My WP Lite | 39 | 24 | 62 | 400 | Nonce verification recommended | ||
| #3182 | Maintenance Mode | 39 | 86 | 109 | 7k+ | Output is not escaped | ||
| #3183 | hpb seo plugin for WordPress | 39 | 15 | 87 | 2k+ | Non-prefixed global variable | ||
| #3184 | HTML5 Cumulus | 39 | 132 | 33 | 1k+ | Output is not escaped | ||
| #3185 | HW Image Widget | 39 | 138 | 41 | 1k+ | Output is not escaped | ||
| #3186 | Idle User Logout | 39 | 96 | 13 | 1k+ | Output is not escaped | ||
| #3187 | If Menu – Visibility control for Menus | 39 | 281 | 63 | 50k+ | Output is not escaped | ||
| #3188 | Image Carousel | 39 | 164 | 18 | 1k+ | Output is not escaped | ||
| #3189 | Image Watermark WP | 39 | 88 | 82 | 600 | Output is not escaped | ||
| #3190 | S2W – Import Shopify to WooCommerce | 39 | 8 | 132 | 3k+ | Request data is not unslashed | ||
| #3191 | Improved Save Button | 39 | 44 | 52 | 4k+ | Missing Translators Comment | ||
| #3192 | Insert Amz Images | 39 | 79 | 44 | 1k+ | Output is not escaped | ||
| #3193 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output is not escaped | ||
| #3194 | involve.me – Create Surveys, Quizzes, Calculators & Forms as Embedded Widgets or Pop-ups | 39 | 158 | 32 | 400 | Text Domain Mismatch | ||
| #3195 | Korea SNS | 39 | 88 | 30 | 4k+ | Unsafe printing function | ||
| #3196 | LH Add Media From Url | 39 | 42 | 26 | 2k+ | Output is not escaped | ||
| #3197 | Library Viewer | 39 | 65 | 93 | 400 | Non-prefixed hook name | ||
| #3198 | Logo Showcase – Logo Slider, Carousel & Sponsors Gallery | 39 | 535 | 98 | 1k+ | Text Domain Mismatch | ||
| #3199 | Logo Showcase – Carousel, Slider, Grid & List for WordPress | 39 | 123 | 160 | 400 | Unsafe printing function | ||
| #3200 | LuckyWP Table of Contents | 39 | 438 | 62 | 100k+ | Output is not escaped |