WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3351 | amCharts: Charts and Maps | 40 | 263 | 113 | 2k+ | Text Domain Mismatch | ||
| #3352 | Analytics Cat – Google Analytics Made Easy | 40 | 83 | 27 | 6k+ | Text Domain Mismatch | ||
| #3353 | Animated Live Wall Gallery | 40 | 27 | 72 | 2k+ | Request data is not unslashed | ||
| #3354 | Athemes Toolbox | 40 | 254 | 58 | 3k+ | Text Domain Mismatch | ||
| #3355 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 700 | Non-prefixed global variable | ||
| #3356 | Attachment Importer | 40 | 24 | 76 | 3k+ | Input is not sanitized | ||
| #3357 | Auto Upload Images | 40 | 62 | 13 | 20k+ | Unsafe printing function | ||
| #3358 | Autocomplete LearnDash Lessons and Topics | 40 | 46 | 16 | 1k+ | Missing Arg Domain | ||
| #3359 | AutoConvert Greeklish Permalinks | 40 | 116 | 13 | 30k+ | Text Domain Mismatch | ||
| #3360 | Mastodon Autopost | 40 | 41 | 50 | 800 | Output is not escaped | ||
| #3361 | AxiaChat AI – Free AI Chatbot (Answers Customers Automatically) | 40 | 2 | 135 | 2k+ | Interpolated SQL is not prepared | ||
| #3362 | Back To The Top Button | 40 | 31 | 271 | 4k+ | Non-prefixed global variable | ||
| #3363 | Bangladeshi Payment Gateways – Make Payment Using QR Code | 40 | 40 | 36 | 5k+ | Output is not escaped | ||
| #3364 | Basic Interactive World Map | 40 | 94 | 54 | 1k+ | Text Domain Mismatch | ||
| #3365 | bbPress WP Tweaks | 40 | 147 | 18 | 1k+ | Output is not escaped | ||
| #3366 | Better Internal Link Search | 40 | 23 | 48 | 1k+ | strip tags strip tags | ||
| #3367 | BH Custom CSS3 Preloader – Just play and play | 40 | 439 | 26 | 900 | Text Domain Mismatch | ||
| #3368 | Billingo Official for WooCommerce | 40 | 25 | 37 | 3k+ | Output is not escaped | ||
| #3369 | Black Studio TinyMCE Widget | 40 | 39 | 28 | 200k+ | Output is not escaped | ||
| #3370 | Broken Link Notifier | 40 | 11 | 193 | 1k+ | Non-prefixed global variable | ||
| #3371 | Bubble Menu – Floating Button Menu with Sticky Navigation | 40 | 2 | 216 | 1k+ | Nonce verification recommended | ||
| #3372 | BuddyPress Profile Completion | 40 | 28 | 30 | 500 | Output is not escaped | ||
| #3373 | Bulk Add Terms | 40 | 74 | 27 | 800 | Text Domain Mismatch | ||
| #3374 | Bulk Delete Comments | 40 | 16 | 61 | 5k+ | Direct Query | ||
| #3375 | Bulk Featured Image | 40 | 69 | 117 | 800 | Output is not escaped | ||
| #3376 | Bulk Move | 40 | 85 | 44 | 9k+ | Unsafe printing function | ||
| #3377 | Buy one Get one Free – BOGO discount rule maker for WooCommerce | 40 | 119 | 57 | 400 | Text Domain Mismatch | ||
| #3378 | Coming soon Page | 40 | 24 | 18 | 500 | Text Domain Mismatch | ||
| #3379 | Custom Cart Link for WooCommerce | 40 | 24 | 16 | 700 | Unsafe printing function | ||
| #3380 | Categories Metabox Enhanced | 40 | 77 | 36 | 1k+ | Output is not escaped | ||
| #3381 | Category Featured Images Extended | 40 | 177 | 40 | 400 | Text Domain Mismatch | ||
| #3382 | CleverReach Integration for Contact Form 7 | 40 | 103 | 43 | 700 | Text Domain Mismatch | ||
| #3383 | Contact form 7 TO API + Basic Auth | 40 | 73 | 30 | 1k+ | Non Singular String Literal Domain | ||
| #3384 | Contact Form 7 to Mailjet | 40 | 70 | 39 | 600 | Output is not escaped | ||
| #3385 | Classified Ads | 40 | 136 | 38 | 1k+ | Text Domain Mismatch | ||
| #3386 | Cleaner Gallery | 40 | 40 | 8 | 2k+ | Unsafe printing function | ||
| #3387 | Client Portal : SuiteDash Direct Login | 40 | 93 | 17 | 1k+ | Text Domain Mismatch | ||
| #3388 | codoc | 40 | 19 | 39 | 2k+ | Request data is not unslashed | ||
| #3389 | Complete Image Sitemap | 40 | 55 | 18 | 1k+ | Output is not escaped | ||
| #3390 | Conditional WooCommerce Checkout Field | 40 | 84 | 22 | 400 | Unsafe printing function | ||
| #3391 | Contact Form 7 GetResponse Extension | 40 | 88 | 18 | 1k+ | Text Domain Mismatch | ||
| #3392 | Contact Form 7 Multi-Step Forms | 40 | 65 | 41 | 50k+ | Output is not escaped | ||
| #3393 | Database Addon for Contact Form 7 – CFDB7 | 40 | 35 | 56 | 600k+ | Nonce verification recommended | ||
| #3394 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | Missing direct file access protection | ||
| #3395 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #3396 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #3397 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #3398 | Crisp – Live Chat and Chatbot | 40 | 24 | 20 | 20k+ | Unsafe printing function | ||
| #3399 | Cryout Serious Theme Settings | 40 | 332 | 51 | 40k+ | Output is not escaped | ||
| #3400 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function |