WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3301 | Payments via PayMongo for WooCommerce | 39 | 36 | 81 | 1k+ | Nonce verification recommended | ||
| #3302 | Smart COD for WooCommerce | 39 | 50 | 28 | 30k+ | Output is not escaped | ||
| #3303 | WebHotelier for WordPress | 39 | 451 | 40 | 500 | Text Domain Mismatch | ||
| #3304 | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | 39 | 89 | 117 | 20k+ | Unsafe printing function | ||
| #3305 | Payment Gateway – nexi Alpha Bank for WooCommerce | 39 | 96 | 40 | 1k+ | Non Singular String Literal Domain | ||
| #3306 | Woo Button Text | 39 | 53 | 21 | 500 | Output is not escaped | ||
| #3307 | Combo Offers WooCommerce | 39 | 38 | 89 | 2k+ | Missing nonce verification | ||
| #3308 | Lucky Wheel for WooCommerce – Spin a Sale | 39 | 12 | 153 | 1k+ | Request data is not unslashed | ||
| #3309 | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x | 39 | 7 | 222 | 20k+ | Non-prefixed hook name | ||
| #3310 | PayU GPO Payment for WooCommerce | 39 | 44 | 91 | 10k+ | Output is not escaped | ||
| #3311 | Modal Fly Cart & AJAX Add to Cart for WooCommerce | 39 | 83 | 74 | 2k+ | Text Domain Mismatch | ||
| #3312 | WooCommerce Product Dependencies | 39 | 44 | 60 | 3k+ | Missing nonce verification | ||
| #3313 | Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools | 39 | 322 | 66 | 8k+ | Output is not escaped | ||
| #3314 | WP Accessibility | 39 | 200 | 104 | 60k+ | Unsafe printing function | ||
| #3315 | WP Add Custom CSS | 39 | 45 | 23 | 60k+ | Output is not escaped | ||
| #3316 | WP Attachments | 39 | 49 | 44 | 3k+ | Output is not escaped | ||
| #3317 | WP-Cycle | 39 | 53 | 17 | 3k+ | Output is not escaped | ||
| #3318 | WP Gmail SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3319 | WP Limit Login Attempts | 39 | 26 | 67 | 10k+ | Direct Query | ||
| #3320 | WP Most Popular | 39 | 50 | 35 | 2k+ | Output is not escaped | ||
| #3321 | WP Multibyte Patch | 39 | 24 | 55 | 1m+ | Input is not sanitized | ||
| #3322 | WP Performance Score Booster – Optimize Speed, Enable Cache & Page Preload | 39 | 59 | 27 | 10k+ | Unsafe printing function | ||
| #3323 | WP Revision Master | 39 | 96 | 29 | 900 | Text Domain Mismatch | ||
| #3324 | WP SendGrid SMTP | 39 | 99 | 50 | 1k+ | Text Domain Mismatch | ||
| #3325 | WP Sitemaps Config | 39 | 88 | 37 | 700 | Output is not escaped | ||
| #3326 | WP-Slimbox2 Plugin | 39 | 77 | 19 | 3k+ | Unsafe printing function | ||
| #3327 | WP Social Widget | 39 | 239 | 7 | 4k+ | Output is not escaped | ||
| #3328 | AidWP – Donation & Payment Forms (Stripe Powered) | 39 | 193 | 800 | Non-prefixed global variable | |||
| #3329 | SEO Auto Linker | 39 | 97 | 62 | 3k+ | Unsafe printing function | ||
| #3330 | Categories to Tags Converter | 39 | 86 | 38 | 50k+ | Output is not escaped | ||
| #3331 | WPS Child Theme Generator | 39 | 111 | 85 | 6k+ | Unsafe printing function | ||
| #3332 | WPS Limit Login | 39 | 152 | 76 | 100k+ | Output is not escaped | ||
| #3333 | Yandex Metrica | 39 | 92 | 46 | 20k+ | Output is not escaped | ||
| #3334 | YITH Custom Login | 39 | 86 | 33 | 5k+ | Output is not escaped | ||
| #3335 | You can quote me on that | 39 | 57 | 37 | 400 | Output is not escaped | ||
| #3336 | htaccess protect | 39 | 28 | 33 | 800 | Input is not validated | ||
| #3337 | 404 Notifier | 40 | 39 | 41 | 700 | Output is not escaped | ||
| #3338 | ACF qTranslate | 40 | 184 | 25 | 8k+ | Output is not escaped | ||
| #3339 | ACF Theme Code for Advanced Custom Fields | 40 | 478 | 40 | 10k+ | Output is not escaped | ||
| #3340 | ACF to Custom Database Tables | 40 | 36 | 64 | 600 | Nonce verification recommended | ||
| #3341 | Add Pinterest conversion tags for Pinterest Ads + Site verification | 40 | 88 | 26 | 1k+ | Output is not escaped | ||
| #3342 | Subscribe Button by AddToAny | 40 | 93 | 47 | 900 | Output is not escaped | ||
| #3343 | Address Autocomplete Anything | 40 | 94 | 32 | 900 | Unsafe printing function | ||
| #3344 | Admin Search | 40 | 31 | 47 | 1k+ | Output is not escaped | ||
| #3345 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #3346 | Advanced Custom Fields: Font Awesome Field | 40 | 332 | 70 | 90k+ | Text Domain Mismatch | ||
| #3347 | Advanced IP Blocker | 40 | 94 | 44 | 2k+ | Exception output is not escaped | ||
| #3348 | Advanced WooCommerce Product Gallery Slider | 40 | 42 | 48 | 3k+ | Non-prefixed global variable | ||
| #3349 | Advanced WPLink | 40 | 67 | 19 | 1k+ | Text Domain Mismatch | ||
| #3350 | AgreeMe Checkboxes For WooCommerce | 40 | 88 | 44 | 600 | Text Domain Mismatch |