WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3351amCharts: Charts and Maps402631132k+Text Domain Mismatch
#3352Analytics Cat – Google Analytics Made Easy4083276k+Text Domain Mismatch
#3353Animated Live Wall Gallery4027722k+Request data is not unslashed
#3354Athemes Toolbox40254583k+Text Domain Mismatch
#3355Atomic Edge Security – Firewall, Malware Scan and Login Security4012184700Non-prefixed global variable
#3356Attachment Importer4024763k+Input is not sanitized
#3357Auto Upload Images40621320k+Unsafe printing function
#3358Autocomplete LearnDash Lessons and Topics4046161k+Missing Arg Domain
#3359AutoConvert Greeklish Permalinks401161330k+Text Domain Mismatch
#3360Mastodon Autopost404150800Output is not escaped
#3361AxiaChat AI – Free AI Chatbot (Answers Customers Automatically)4021352k+Interpolated SQL is not prepared
#3362Back To The Top Button40312714k+Non-prefixed global variable
#3363Bangladeshi Payment Gateways – Make Payment Using QR Code4040365k+Output is not escaped
#3364Basic Interactive World Map4094541k+Text Domain Mismatch
#3365bbPress WP Tweaks40147181k+Output is not escaped
#3366Better Internal Link Search4023481k+strip tags strip tags
#3367BH Custom CSS3 Preloader – Just play and play4043926900Text Domain Mismatch
#3368Billingo Official for WooCommerce4025373k+Output is not escaped
#3369Black Studio TinyMCE Widget403928200k+Output is not escaped
#3370Broken Link Notifier40111931k+Non-prefixed global variable
#3371Bubble Menu – Floating Button Menu with Sticky Navigation4022161k+Nonce verification recommended
#3372BuddyPress Profile Completion402830500Output is not escaped
#3373Bulk Add Terms407427800Text Domain Mismatch
#3374Bulk Delete Comments4016615k+Direct Query
#3375Bulk Featured Image4069117800Output is not escaped
#3376Bulk Move4085449k+Unsafe printing function
#3377Buy one Get one Free – BOGO discount rule maker for WooCommerce4011957400Text Domain Mismatch
#3378Coming soon Page402418500Text Domain Mismatch
#3379Custom Cart Link for WooCommerce402416700Unsafe printing function
#3380Categories Metabox Enhanced4077361k+Output is not escaped
#3381Category Featured Images Extended4017740400Text Domain Mismatch
#3382CleverReach Integration for Contact Form 74010343700Text Domain Mismatch
#3383Contact form 7 TO API + Basic Auth4073301k+Non Singular String Literal Domain
#3384Contact Form 7 to Mailjet407039600Output is not escaped
#3385Classified Ads40136381k+Text Domain Mismatch
#3386Cleaner Gallery404082k+Unsafe printing function
#3387Client Portal : SuiteDash Direct Login4093171k+Text Domain Mismatch
#3388codoc4019392k+Request data is not unslashed
#3389Complete Image Sitemap4055181k+Output is not escaped
#3390Conditional WooCommerce Checkout Field408422400Unsafe printing function
#3391Contact Form 7 GetResponse Extension4088181k+Text Domain Mismatch
#3392Contact Form 7 Multi-Step Forms40654150k+Output is not escaped
#3393Database Addon for Contact Form 7 – CFDB7403556600k+Nonce verification recommended
#3394Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others)4039156k+Missing direct file access protection
#3395Copyscape Premium40148133800SQL query is not prepared
#3396Country State City Dropdown CF74035545k+Direct Query
#3397Coupon Generator for WooCommerce40392810k+Unsafe printing function
#3398Crisp – Live Chat and Chatbot40242020k+Unsafe printing function
#3399Cryout Serious Theme Settings403325140k+Output is not escaped
#3400Cryptocurrency Widgets Pack4022252700Unsafe printing function