WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3251 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non-prefixed function | ||
| #3252 | Shared Files – File Upload & Download Manager | 39 | 5 | 184 | 4k+ | Nonce verification recommended | ||
| #3253 | Shipping by Rules for WooCommerce | 39 | 130 | 48 | 500 | Output is not escaped | ||
| #3254 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | ||
| #3255 | Show All Comments | 39 | 108 | 92 | 400 | Nonce verification recommended | ||
| #3256 | Simpaisa Wallet (Jazzcash & Easypaisa) Payment Services | 39 | 67 | 74 | 1k+ | Interpolated Variable Text | ||
| #3257 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Request data is not unslashed | ||
| #3258 | Simple Posts Ticker – Easy, Lightweight & Flexible | 39 | 151 | 28 | 2k+ | Output is not escaped | ||
| #3259 | Simple Staff List | 39 | 90 | 236 | 3k+ | Non-prefixed global variable | ||
| #3260 | SimpleModal Login | 39 | 50 | 12 | 700 | Unsafe printing function | ||
| #3261 | SKP WP Admin Login Captcha | 39 | 77 | 18 | 1k+ | Output is not escaped | ||
| #3262 | Slash Admin | 39 | 116 | 38 | 500 | Output is not escaped | ||
| #3263 | Slideshow SE | 39 | 35 | 240 | 2k+ | Non-prefixed global variable | ||
| #3264 | Smaily for WP | 39 | 52 | 36 | 600 | Output is not escaped | ||
| #3265 | Smart Archives Reloaded | 39 | 78 | 36 | 1k+ | Non Singular String Literal Domain | ||
| #3266 | SMTP | 39 | 54 | 15 | 700 | Non Singular String Literal Domain | ||
| #3267 | Solid Post Likes | 39 | 96 | 52 | 500 | Text Domain Mismatch | ||
| #3268 | Soumettre.fr | 39 | 130 | 26 | 10k+ | Text Domain Mismatch | ||
| #3269 | Spreadr Woocommerce Plugin – Amazon Importer for Dropshipping and Affiliate | 39 | 42 | 226 | 500 | Request data is not unslashed | ||
| #3270 | Stock Ticker | 39 | 92 | 49 | 2k+ | Output is not escaped | ||
| #3271 | Stockdio Historical Chart | 39 | 65 | 16 | 900 | Output is not escaped | ||
| #3272 | Substack Importer | 39 | 33 | 33 | 1k+ | Missing nonce verification | ||
| #3273 | Sydney Toolbox | 39 | 84 | 62 | 50k+ | Unsafe printing function | ||
| #3274 | Sync Post With Other Site | 39 | 179 | 21 | 3k+ | Non Singular String Literal Domain | ||
| #3275 | Tabify Edit Screen | 39 | 83 | 27 | 500 | Output is not escaped | ||
| #3276 | Tawk.To Manager | 39 | 204 | 21 | 600 | Output is not escaped | ||
| #3277 | Easy Category Icons | 39 | 50 | 43 | 700 | Text Domain Mismatch | ||
| #3278 | ThemeKit For WordPress | 39 | 149 | 49 | 700 | Output is not escaped | ||
| #3279 | OpenHook | 39 | 172 | 22 | 1k+ | Unsafe printing function | ||
| #3280 | TinyMCE Custom Styles | 39 | 297 | 76 | 7k+ | Non Singular String Literal Domain | ||
| #3281 | TinyMCE Spellcheck | 39 | 27 | 32 | 2k+ | Unsafe printing function | ||
| #3282 | TomS reCAPTCHA | 39 | 128 | 256 | 500 | Missing nonce verification | ||
| #3283 | Traffic Monitor | 39 | 6 | 143 | 1k+ | Direct Query | ||
| #3284 | UiChemy — Figma Converter for Elementor, Gutenberg and Bricks | 39 | 7 | 100 | 9k+ | Nonce verification recommended | ||
| #3285 | Ultimate Client Dash | 39 | 697 | 12 | 2k+ | Text Domain Mismatch | ||
| #3286 | Ultimate Lightbox | 39 | 110 | 59 | 1k+ | Unsafe printing function | ||
| #3287 | Unlimited Background Slider | 39 | 66 | 53 | 600 | Output is not escaped | ||
| #3288 | upPrev | 39 | 35 | 36 | 1k+ | Dynamic hook name | ||
| #3289 | Uptolike Social Share Buttons | 39 | 38 | 33 | 4k+ | Output is not escaped | ||
| #3290 | Use Any Font | Custom Font Uploader | 39 | 36 | 55 | 200k+ | Request data is not unslashed | ||
| #3291 | User Blocker | 39 | 6 | 276 | 3k+ | Nonce verification recommended | ||
| #3292 | UserHeat Plugin | 39 | 121 | 20 | 6k+ | Non Singular String Literal Domain | ||
| #3293 | Accessibility by UserWay | 39 | 22 | 35 | 80k+ | Direct Query | ||
| #3294 | Smart Variation Swatches and Attribute Filters for WooCommerce | 39 | 39 | 50 | 3k+ | Output is not escaped | ||
| #3295 | Video Blogster Lite | 39 | 29 | 80 | 700 | Missing nonce verification | ||
| #3296 | Virtuaria Correios – Frete, Etiqueta, Rastreio e Declaração | 39 | 18 | 81 | 500 | Nonce verification recommended | ||
| #3297 | Virusdie | One-click website security | 39 | 149 | 66 | 2k+ | Output is not escaped | ||
| #3298 | Visual Portfolio, Photo Gallery & Post Grid | 39 | 34 | 189 | 60k+ | Non-prefixed hook name | ||
| #3299 | BeGateway Payment Gateway for WooCommerce | 39 | 57 | 44 | 400 | Unsafe printing function | ||
| #3300 | Payments via PayMongo for WooCommerce | 39 | 36 | 81 | 1k+ | Nonce verification recommended |