WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3501 | Paystack MemberPress | 40 | 71 | 76 | 400 | Output is not escaped | ||
| #3502 | Permalink Editor | 40 | 50 | 28 | 1k+ | Output is not escaped | ||
| #3503 | List Petfinder Pets | 40 | 121 | 46 | 400 | Output is not escaped | ||
| #3504 | Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels | 40 | 68 | 249 | 3k+ | Missing nonce verification | ||
| #3505 | Plugin Load Filter | 40 | 76 | 112 | 7k+ | Text Domain Mismatch | ||
| #3506 | Popup addon for Ninja Forms | 40 | 121 | 25 | 1k+ | Output is not escaped | ||
| #3507 | Post Ratings | 40 | 160 | 32 | 600 | Output is not escaped | ||
| #3508 | Requirements Checklist | 40 | 200 | 22 | 900 | Output is not escaped | ||
| #3509 | Private Google Calendars | 40 | 227 | 37 | 1k+ | Output is not escaped | ||
| #3510 | Privilege Widget | 40 | 139 | 52 | 600 | Text Domain Mismatch | ||
| #3511 | PT Theme Addon | 40 | 67 | 21 | 1k+ | Output is not escaped | ||
| #3512 | Quick Child Theme Generator | 40 | 22 | 74 | 900 | Request data is not unslashed | ||
| #3513 | Quiz Cat – WordPress Quiz Plugin | 40 | 151 | 69 | 4k+ | Output is not escaped | ||
| #3514 | Random Banner | 40 | 59 | 125 | 1k+ | Output is not escaped | ||
| #3515 | Random Post Plugin – Redirect URL to Post | 40 | 28 | 74 | 4k+ | Nonce verification recommended | ||
| #3516 | Redirector | 40 | 48 | 32 | 7k+ | Output is not escaped | ||
| #3517 | Manual Related Posts | 40 | 51 | 32 | 1k+ | Output is not escaped | ||
| #3518 | Rename default post Labels | 40 | 54 | 36 | 600 | Text Domain Mismatch | ||
| #3519 | Responsive Plus – Elementor Templates & Starter Sites | 40 | 46 | 305 | 10k+ | Non-prefixed global variable | ||
| #3520 | Responsive Full Width Background Slider | 40 | 131 | 22 | 2k+ | Unsafe printing function | ||
| #3521 | Responsive Sidebar | 40 | 43 | 12 | 700 | Output is not escaped | ||
| #3522 | Responsive Slider | 40 | 28 | 15 | 3k+ | Output is not escaped | ||
| #3523 | Risk Free Cash On Delivery (COD) – WooCommerce | 40 | 106 | 31 | 400 | Text Domain Mismatch | ||
| #3524 | Role Based Redirect | 40 | 20 | 96 | 2k+ | Non-prefixed global variable | ||
| #3525 | RPB Chessboard | 40 | 86 | 98 | 1k+ | Missing direct file access protection | ||
| #3526 | Sales Tax Reports For WooCommerce | 40 | 50 | 65 | 900 | Output is not escaped | ||
| #3527 | Schedule Posts Calendar | 40 | 74 | 36 | 1k+ | Output is not escaped | ||
| #3528 | Search Live | 40 | 132 | 71 | 600 | Output is not escaped | ||
| #3529 | Secondary Title | 40 | 117 | 31 | 7k+ | Unsafe printing function | ||
| #3530 | Select All Categories and Taxonomies, Change Checkbox to Radio Buttons | 40 | 116 | 30 | 3k+ | Output is not escaped | ||
| #3531 | Sendy Widget | 40 | 46 | 17 | 700 | Output is not escaped | ||
| #3532 | Serviceform Pixel | 40 | 18 | 22 | 400 | Output is not escaped | ||
| #3533 | Multipage | 40 | 72 | 28 | 900 | Unsafe printing function | ||
| #3534 | Shortcodes Finder | 40 | 22 | 188 | 4k+ | Nonce verification recommended | ||
| #3535 | Show Pages URL List | 40 | 29 | 234 | 1k+ | Non-prefixed global variable | ||
| #3536 | Simple Statistics for Feeds | 40 | 64 | 131 | 800 | Nonce verification recommended | ||
| #3537 | Simple Link List Widget | 40 | 129 | 8 | 2k+ | Output is not escaped | ||
| #3538 | Simple Page Sidebars | 40 | 55 | 65 | 20k+ | Output is not escaped | ||
| #3539 | Sinatra Core | 40 | 101 | 15 | 8k+ | Output is not escaped | ||
| #3540 | Specific Content For Mobile – Customize the mobile version without redirections | 40 | 26 | 155 | 4k+ | Nonce verification recommended | ||
| #3541 | SportsPress for Cricket | 40 | 122 | 34 | 500 | Text Domain Mismatch | ||
| #3542 | ST Demo Importer | 40 | 27 | 75 | 700 | Missing nonce verification | ||
| #3543 | Stax Addons for Elementor | 40 | 143 | 81 | 500 | Output is not escaped | ||
| #3544 | Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress | 40 | 28 | 167 | 2k+ | Request data is not unslashed | ||
| #3545 | Developer Tools Blocker | 40 | 35 | 47 | 400 | strip tags strip tags | ||
| #3546 | Tagging | 40 | 33 | 37 | 500 | Output is not escaped | ||
| #3547 | Tealium | 40 | 73 | 19 | 600 | Unsafe printing function | ||
| #3548 | Theme Toolkit | 40 | 53 | 14 | 400 | Output is not escaped | ||
| #3549 | Theme and plugin translation for Polylang (TTfP) | 40 | 102 | 62 | 10k+ | Text Domain Mismatch | ||
| #3550 | Multiple Shipping Addresses for WooCommerce (Address Book) | 40 | 21 | 208 | 2k+ | Non-prefixed global variable |
