WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3401Copyscape Premium40148133800SQL query is not prepared
#3402Country State City Dropdown CF74035545k+Direct Query
#3403Coupon Generator for WooCommerce40392810k+Unsafe printing function
#3404Crisp – Live Chat and Chatbot40242020k+Unsafe printing function
#3405Cryout Serious Theme Settings403325140k+Output is not escaped
#3406Cryptocurrency Widgets Pack4022252700Unsafe printing function
#3407Crypto Price Widgets – CryptoWP4010343600Output is not escaped
#3408Custom Contact Forms40131066k+Missing nonce verification
#3409Custom Simple Rss40731302k+Nonce verification recommended
#3410Dashboard Welcome for Beaver Builder4038242k+Output is not escaped
#3411Dashify: WooCommerce admin dashboard theme4016131900Nonce verification recommended
#3412Delete Me40116177k+Output is not escaped
#3413Donation Thermometer40324882k+Output is not escaped
#3414Duplicate Page4039433m+Unsafe printing function
#3415Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more..405527500Output is not escaped
#3416Easy Image Collage4096184k+Unsafe printing function
#3417Enhanced Custom Permalinks4051821k+Nonce verification recommended
#3418Eventer4061551k+Output is not escaped
#3419Expiring Posts405220900Missing Arg Domain
#3420FameTheme Demo Importer4087430k+Nonce verification recommended
#3421FAQ Schema – Accordion, Tab, Slider & Gutenberg Block40253461k+Output is not escaped
#3422Far Future Expiry Header4025367k+Request data is not unslashed
#3423Fast User Switching4028282k+Output is not escaped
#3424Featured Post403618900Output is not escaped
#3425Flamingo4015228800k+Nonce verification recommended
#3426FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments405047700Non-prefixed global variable
#3427Flying Scripts: Delay JavaScript to Improve Site Speed & Performance40234430k+Missing direct file access protection
#3428FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel4020814k+Non-prefixed global variable
#3429Full Background Manager4037247k+Output is not escaped
#3430Fusion Page Builder40341003k+Input is not validated
#3431Analytics Germanized for Google Analytics (GDPR / DSGVO)4049148k+Output is not escaped
#3432Osom Author Pro4083221k+Output is not escaped
#3433Get Cash408449500Non Singular String Literal Domain
#3434GetPaid > Item Inventory4011252400Text Domain Mismatch
#3435Product Enquiry for WooCommerce4057413k+Output is not escaped
#3436Gravity Forms Data Persistence Add-On Reloaded401438700Input is not sanitized
#3437Header Footer Custom Html4095221k+Unsafe printing function
#3438Header Promo – Show Top Bar Message or Call to Action4047245400Output is not escaped
#3439heatmap for WordPress – Realtime analytics4094151k+Non Singular String Literal Domain
#3440WP Armour – Honeypot Anti Spam405466400k+Missing nonce verification
#3441I Agree! Popups405446600Output is not escaped
#3442If Widget – Visibility control for Widgets4099251k+Unsafe printing function
#3443iNext Woo Pincode Checker403682700Missing nonce verification
#3444Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução4032564k+Non-prefixed global variable
#3445Interactive US Map4013654400Text Domain Mismatch
#3446Internal Linking of Related Contents40714471k+Output is not escaped
#3447Invite Anyone40321301k+Non-prefixed hook name
#3448Quotes Addon for GetPaid4019121700Text Domain Mismatch
#3449JSM Show Order Metadata for WooCommerce HPOS401764700Nonce verification recommended
#3450JSM Show Post Metadata40156610k+Nonce verification recommended