WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3451 | GetPaid > Item Inventory | 40 | 112 | 52 | 400 | Text Domain Mismatch | ||
| #3452 | Product Enquiry for WooCommerce | 40 | 57 | 41 | 3k+ | Output is not escaped | ||
| #3453 | Gravity Forms Data Persistence Add-On Reloaded | 40 | 14 | 38 | 700 | Input is not sanitized | ||
| #3454 | Header Footer Custom Html | 40 | 95 | 22 | 1k+ | Unsafe printing function | ||
| #3455 | Header Promo – Show Top Bar Message or Call to Action | 40 | 472 | 45 | 400 | Output is not escaped | ||
| #3456 | heatmap for WordPress – Realtime analytics | 40 | 94 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3457 | WP Armour – Honeypot Anti Spam | 40 | 55 | 66 | 400k+ | Missing nonce verification | ||
| #3458 | Hostinger Reach – AI-Powered Email Marketing for WordPress | 40 | 9 | 46 | 1m+ | Direct Query | ||
| #3459 | I Agree! Popups | 40 | 54 | 46 | 600 | Output is not escaped | ||
| #3460 | If Widget – Visibility control for Widgets | 40 | 99 | 25 | 1k+ | Unsafe printing function | ||
| #3461 | Image Alt Text | 40 | 79 | 97 | 9k+ | Non Singular String Literal Domain | ||
| #3462 | iNext Woo Pincode Checker | 40 | 36 | 82 | 700 | Missing nonce verification | ||
| #3463 | Correios Automático – Rastreio, Frete, Etiqueta, Declaração e Devolução | 40 | 32 | 56 | 4k+ | Non-prefixed global variable | ||
| #3464 | Interactive US Map | 40 | 136 | 54 | 400 | Text Domain Mismatch | ||
| #3465 | Internal Linking of Related Contents | 40 | 714 | 47 | 1k+ | Output is not escaped | ||
| #3466 | Invite Anyone | 40 | 32 | 130 | 1k+ | Non-prefixed hook name | ||
| #3467 | Quotes Addon for GetPaid | 40 | 191 | 21 | 700 | Text Domain Mismatch | ||
| #3468 | JSM Show Order Metadata for WooCommerce HPOS | 40 | 17 | 64 | 700 | Nonce verification recommended | ||
| #3469 | JSM Show Post Metadata | 40 | 15 | 66 | 10k+ | Nonce verification recommended | ||
| #3470 | JSM Show Term Metadata | 40 | 14 | 64 | 900 | Nonce verification recommended | ||
| #3471 | JSM Show User Metadata | 40 | 14 | 64 | 3k+ | Nonce verification recommended | ||
| #3472 | La Sentinelle antispam | 40 | 88 | 46 | 3k+ | Output is not escaped | ||
| #3473 | Social Like Box and Page by WpDevArt | 40 | 62 | 24 | 5k+ | Output is not escaped | ||
| #3474 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #3475 | Listdomer Core | 40 | 45 | 92 | 500 | Non-prefixed global variable | ||
| #3476 | WP All Import – Listings Import for Listify | 40 | 34 | 27 | 400 | Output is not escaped | ||
| #3477 | LJ Multi Column Archive | 40 | 17 | 25 | 1k+ | Output is not escaped | ||
| #3478 | LLM Bot Tracker – AI Crawler Detection & Analytics | 40 | 18 | 90 | 700 | Database parameter is not escaped | ||
| #3479 | Loan Comparison | 40 | 27 | 192 | 400 | Request data is not unslashed | ||
| #3480 | Logbook | 40 | 33 | 59 | 2k+ | Nonce verification recommended | ||
| #3481 | WPO365 | Mail Integration for Office 365 / Outlook | 40 | 59 | 27 | 2k+ | Output is not escaped | ||
| #3482 | MailerSend – Official SMTP Integration | 40 | 39 | 25 | 2k+ | Unsafe printing function | ||
| #3483 | Manual Image Crop | 40 | 178 | 61 | 8k+ | Output is not escaped | ||
| #3484 | Mark New Posts | 40 | 61 | 39 | 500 | Non Singular String Literal Domain | ||
| #3485 | MAS Company Reviews For WP Job Manager | 40 | 44 | 71 | 1k+ | Output is not escaped | ||
| #3486 | Mass Email To Users | 40 | 84 | 81 | 800 | Output is not escaped | ||
| #3487 | MembershipWorks – Membership, Events & Directory | 40 | 41 | 29 | 2k+ | Output is not escaped | ||
| #3488 | Mobile Contact Line | 40 | 39 | 355 | 1k+ | Non-prefixed global variable | ||
| #3489 | WP Mobile Redirect | 40 | 44 | 20 | 400 | Text Domain Mismatch | ||
| #3490 | Modal Window – create popup modal window | 40 | 4 | 170 | 10k+ | Non-prefixed global variable | ||
| #3491 | 코드엠샵 소셜톡 | 40 | 47 | 36 | 400 | Output is not escaped | ||
| #3492 | Multiple Featured Images | 40 | 50 | 22 | 5k+ | Output is not escaped | ||
| #3493 | Customize My Account for WooCommerce – Custom Tabs, Login, Registration, 2FA & Design | 40 | 77 | 167 | 800 | Non-prefixed global variable | ||
| #3494 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | 40 | 32 | 58 | 3k+ | Missing direct file access protection | ||
| #3495 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #3496 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #3497 | One Click SSL | 40 | 136 | 62 | 10k+ | Unsafe printing function | ||
| #3498 | OPML Importer | 40 | 35 | 13 | 4k+ | Output is not escaped | ||
| #3499 | Owl Carousel WP | 40 | 62 | 19 | 1k+ | Output is not escaped | ||
| #3500 | Page As Subdomain Lite | 40 | 61 | 25 | 500 | Output is not escaped |
