WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3401 | Copyscape Premium | 40 | 148 | 133 | 800 | SQL query is not prepared | ||
| #3402 | Country State City Dropdown CF7 | 40 | 35 | 54 | 5k+ | Direct Query | ||
| #3403 | Coupon Generator for WooCommerce | 40 | 39 | 28 | 10k+ | Unsafe printing function | ||
| #3404 | Crisp – Live Chat and Chatbot | 40 | 24 | 20 | 20k+ | Unsafe printing function | ||
| #3405 | Cryout Serious Theme Settings | 40 | 332 | 51 | 40k+ | Output is not escaped | ||
| #3406 | Cryptocurrency Widgets Pack | 40 | 222 | 52 | 700 | Unsafe printing function | ||
| #3407 | Crypto Price Widgets – CryptoWP | 40 | 103 | 43 | 600 | Output is not escaped | ||
| #3408 | Custom Contact Forms | 40 | 13 | 106 | 6k+ | Missing nonce verification | ||
| #3409 | Custom Simple Rss | 40 | 73 | 130 | 2k+ | Nonce verification recommended | ||
| #3410 | Dashboard Welcome for Beaver Builder | 40 | 38 | 24 | 2k+ | Output is not escaped | ||
| #3411 | Dashify: WooCommerce admin dashboard theme | 40 | 16 | 131 | 900 | Nonce verification recommended | ||
| #3412 | Delete Me | 40 | 116 | 17 | 7k+ | Output is not escaped | ||
| #3413 | Donation Thermometer | 40 | 324 | 88 | 2k+ | Output is not escaped | ||
| #3414 | Duplicate Page | 40 | 39 | 43 | 3m+ | Unsafe printing function | ||
| #3415 | Easy Document Embedder – Embed Word, excel, Powerpoint, Pdf file and more.. | 40 | 55 | 27 | 500 | Output is not escaped | ||
| #3416 | Easy Image Collage | 40 | 96 | 18 | 4k+ | Unsafe printing function | ||
| #3417 | Enhanced Custom Permalinks | 40 | 51 | 82 | 1k+ | Nonce verification recommended | ||
| #3418 | Eventer | 40 | 61 | 55 | 1k+ | Output is not escaped | ||
| #3419 | Expiring Posts | 40 | 52 | 20 | 900 | Missing Arg Domain | ||
| #3420 | FameTheme Demo Importer | 40 | 8 | 74 | 30k+ | Nonce verification recommended | ||
| #3421 | FAQ Schema – Accordion, Tab, Slider & Gutenberg Block | 40 | 253 | 46 | 1k+ | Output is not escaped | ||
| #3422 | Far Future Expiry Header | 40 | 25 | 36 | 7k+ | Request data is not unslashed | ||
| #3423 | Fast User Switching | 40 | 28 | 28 | 2k+ | Output is not escaped | ||
| #3424 | Featured Post | 40 | 36 | 18 | 900 | Output is not escaped | ||
| #3425 | Flamingo | 40 | 15 | 228 | 800k+ | Nonce verification recommended | ||
| #3426 | FluentComments – Spam protection, AntiSpam, Ajax Enhanced Comments | 40 | 50 | 47 | 700 | Non-prefixed global variable | ||
| #3427 | Flying Scripts: Delay JavaScript to Improve Site Speed & Performance | 40 | 23 | 44 | 30k+ | Missing direct file access protection | ||
| #3428 | FlyWP Helper – Page Cache, Page Optimization, Emails for FlyWP Server Control Panel | 40 | 20 | 81 | 4k+ | Non-prefixed global variable | ||
| #3429 | Full Background Manager | 40 | 37 | 24 | 7k+ | Output is not escaped | ||
| #3430 | Fusion Page Builder | 40 | 34 | 100 | 3k+ | Input is not validated | ||
| #3431 | Analytics Germanized for Google Analytics (GDPR / DSGVO) | 40 | 49 | 14 | 8k+ | Output is not escaped | ||
| #3432 | Osom Author Pro | 40 | 83 | 22 | 1k+ | Output is not escaped | ||
| #3433 | Get Cash | 40 | 84 | 49 | 500 | Non Singular String Literal Domain | ||
| #3434 | GetPaid > Item Inventory | 40 | 112 | 52 | 400 | Text Domain Mismatch | ||
| #3435 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #3436 | Gravity Forms Data Persistence Add-On Reloaded | 40 | 14 | 38 | 700 | Input is not sanitized | ||
| #3437 | Header Footer Custom Html | 40 | 95 | 22 | 1k+ | Unsafe printing function | ||
| #3438 | Header Promo – Show Top Bar Message or Call to Action | 40 | 472 | 45 | 400 | Output is not escaped | ||
| #3439 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3440 | WP Armour – Honeypot Anti Spam | 40 | 54 | 66 | 400k+ | Missing nonce verification | ||
| #3441 | I Agree! Popups | 40 | 54 | 46 | 600 | Output is not escaped | ||
| #3442 | If Widget – Visibility control for Widgets | 40 | 99 | 25 | 1k+ | Unsafe printing function | ||
| #3443 | iNext Woo Pincode Checker | 40 | 36 | 82 | 700 | Missing nonce verification | ||
| #3444 | Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução | 40 | 32 | 56 | 4k+ | Non-prefixed global variable | ||
| #3445 | Interactive US Map | 40 | 136 | 54 | 400 | Text Domain Mismatch | ||
| #3446 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #3447 | Invite Anyone | 40 | 32 | 130 | 1k+ | Non-prefixed hook name | ||
| #3448 | Quotes Addon for GetPaid | 40 | 191 | 21 | 700 | Text Domain Mismatch | ||
| #3449 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #3450 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended |