WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3201 | LuckyWP Table of Contents | 39 | 438 | 62 | 100k+ | Output is not escaped | ||
| #3202 | Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | 39 | 65 | 72 | 6k+ | block api version too low | ||
| #3203 | Mail Subscribe List | 39 | 17 | 94 | 3k+ | Input is not validated | ||
| #3204 | MailChimp Add-On for FormCraft | 39 | 56 | 29 | 800 | curl curl setopt | ||
| #3205 | Manage Enrollment for LearnDash | 39 | 48 | 79 | 400 | Unsafe printing function | ||
| #3206 | Map Categories to Pages | 39 | 48 | 13 | 700 | Output is not escaped | ||
| #3207 | Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce | 39 | 76 | 64 | 1k+ | Missing Translators Comment | ||
| #3208 | Maps for WP | 39 | 169 | 73 | 400 | Output is not escaped | ||
| #3209 | Markup by Attribute for WooCommerce | 39 | 46 | 102 | 2k+ | Direct Query | ||
| #3210 | Mascaras CF7 | 39 | 54 | 16 | 1k+ | Text Domain Mismatch | ||
| #3211 | Media Sync | 39 | 193 | 7 | 50k+ | Short PHP open tag found | ||
| #3212 | Meks Easy Photo Feed Widget | 39 | 77 | 27 | 10k+ | Output is not escaped | ||
| #3213 | Menubar | 39 | 171 | 46 | 1k+ | Output is not escaped | ||
| #3214 | Zen Feed | 39 | 39 | 22 | 400 | Output is not escaped | ||
| #3215 | Mizan Demo Importer | 39 | 31 | 68 | 1k+ | Missing Version | ||
| #3216 | Modal Dialog | 39 | 64 | 64 | 500 | Output is not escaped | ||
| #3217 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output is not escaped | ||
| #3218 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | ||
| #3219 | NextGEN Download Gallery | 39 | 57 | 21 | 2k+ | Short PHP open tag found | ||
| #3220 | Open Graph Pro | 39 | 52 | 13 | 1k+ | Output is not escaped | ||
| #3221 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output is not escaped | ||
| #3222 | OneSignal Sender | 39 | 112 | 50 | 400 | Output is not escaped | ||
| #3223 | payever – WooCommerce Gateway | 39 | 263 | 131 | 700 | Text Domain Mismatch | ||
| #3224 | Paystack Add-On for Gravity Forms | 39 | 96 | 31 | 400 | Text Domain Mismatch | ||
| #3225 | Designil PDPA Thailand | 39 | 131 | 36 | 3k+ | Output is not escaped | ||
| #3226 | PO/MO Editor | 39 | 106 | 45 | 1k+ | Unsafe printing function | ||
| #3227 | Posts By Tag | 39 | 151 | 30 | 1k+ | Output is not escaped | ||
| #3228 | PickPlugins Pricing Table | 39 | 3 | 171 | 1k+ | Missing nonce verification | ||
| #3229 | Privilege Menu | 39 | 215 | 49 | 1k+ | Text Domain Mismatch | ||
| #3230 | Product Size Chart for Woocommerce | 39 | 20 | 169 | 600 | Non-prefixed global variable | ||
| #3231 | Purge Varnish Cache | 39 | 113 | 151 | 1k+ | Non-prefixed global variable | ||
| #3232 | QR Redirector | 39 | 48 | 54 | 4k+ | Output is not escaped | ||
| #3233 | Quantcast Choice | 39 | 227 | 11 | 3k+ | Text Domain Mismatch | ||
| #3234 | Query Multiple Taxonomies | 39 | 55 | 41 | 500 | Output is not escaped | ||
| #3235 | Quform Mailchimp | 39 | 65 | 147 | 800 | Nonce verification recommended | ||
| #3236 | Quform Zapier | 39 | 60 | 123 | 1k+ | Nonce verification recommended | ||
| #3237 | Simple Webchat | 39 | 142 | 204 | 1k+ | Output is not escaped | ||
| #3238 | Radio Buttons for Taxonomies | 39 | 40 | 24 | 20k+ | Output is not escaped | ||
| #3239 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Nonce verification recommended | ||
| #3240 | Re Gallery – Responsive Image & Photo Gallery | 39 | 16 | 121 | 700 | Missing nonce verification | ||
| #3241 | Reorder by Term | 39 | 20 | 84 | 1k+ | Request data is not unslashed | ||
| #3242 | REST API Helper | 39 | 108 | 85 | 500 | Unsafe printing function | ||
| #3243 | RioVizual — Table Blocks for Comparison, Pricing and Pros & Cons | 39 | 32 | 75 | 1k+ | Nonce verification recommended | ||
| #3244 | Royal Mail Shipping Calculator for WooCommerce | 39 | 61 | 31 | 1k+ | Text Domain Mismatch | ||
| #3245 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output is not escaped | ||
| #3246 | SEO Auto Linker | 39 | 90 | 24 | 1k+ | Text Domain Mismatch | ||
| #3247 | SEO Friendly Images | 39 | 292 | 20 | 20k+ | Output is not escaped | ||
| #3248 | Serial Number for Contact Form 7 | 39 | 105 | 53 | 2k+ | Non Singular String Literal Domain | ||
| #3249 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non-prefixed function | ||
| #3250 | Shared Files – File Upload & Download Manager | 39 | 5 | 184 | 4k+ | Nonce verification recommended |