WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3501Paystack MemberPress407176400Output is not escaped
#3502Permalink Editor4050281k+Output is not escaped
#3503List Petfinder Pets4012146400Output is not escaped
#3504Pixel Tag Manager for WooCommerce – Google Analytics 4, Google Ads, and More Pixels40682493k+Missing nonce verification
#3505Plugin Load Filter40761127k+Text Domain Mismatch
#3506Popup addon for Ninja Forms40121251k+Output is not escaped
#3507Post Ratings4016032600Output is not escaped
#3508Requirements Checklist4020022900Output is not escaped
#3509Private Google Calendars40227371k+Output is not escaped
#3510Privilege Widget4013952600Text Domain Mismatch
#3511PT Theme Addon4067211k+Output is not escaped
#3512Quick Child Theme Generator402274900Request data is not unslashed
#3513Quiz Cat – WordPress Quiz Plugin40151694k+Output is not escaped
#3514Random Banner40591251k+Output is not escaped
#3515Random Post Plugin – Redirect URL to Post4028744k+Nonce verification recommended
#3516Redirector4048327k+Output is not escaped
#3517Manual Related Posts4051321k+Output is not escaped
#3518Rename default post Labels405436600Text Domain Mismatch
#3519Responsive Plus – Elementor Templates & Starter Sites404630510k+Non-prefixed global variable
#3520Responsive Full Width Background Slider40131222k+Unsafe printing function
#3521Responsive Sidebar404312700Output is not escaped
#3522Responsive Slider4028153k+Output is not escaped
#3523Risk Free Cash On Delivery (COD) – WooCommerce4010631400Text Domain Mismatch
#3524Role Based Redirect4020962k+Non-prefixed global variable
#3525RPB Chessboard4086981k+Missing direct file access protection
#3526Sales Tax Reports For WooCommerce405065900Output is not escaped
#3527Schedule Posts Calendar4074361k+Output is not escaped
#3528Search Live4013271600Output is not escaped
#3529Secondary Title40117317k+Unsafe printing function
#3530Select All Categories and Taxonomies, Change Checkbox to Radio Buttons40116303k+Output is not escaped
#3531Sendy Widget404617700Output is not escaped
#3532Serviceform Pixel401822400Output is not escaped
#3533Multipage407228900Unsafe printing function
#3534Shortcodes Finder40221884k+Nonce verification recommended
#3535Show Pages URL List40292341k+Non-prefixed global variable
#3536Simple Statistics for Feeds4064131800Nonce verification recommended
#3537Simple Link List Widget4012982k+Output is not escaped
#3538Simple Page Sidebars40556520k+Output is not escaped
#3539Sinatra Core40101158k+Output is not escaped
#3540Specific Content For Mobile – Customize the mobile version without redirections40261554k+Nonce verification recommended
#3541SportsPress for Cricket4012234500Text Domain Mismatch
#3542ST Demo Importer402775700Missing nonce verification
#3543Stax Addons for Elementor4014381500Output is not escaped
#3544Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress40281672k+Request data is not unslashed
#3545Developer Tools Blocker403547400strip tags strip tags
#3546Tagging403337500Output is not escaped
#3547Tealium407319600Unsafe printing function
#3548Theme Toolkit405314400Output is not escaped
#3549Theme and plugin translation for Polylang (TTfP)401026210k+Text Domain Mismatch
#3550Multiple Shipping Addresses for WooCommerce (Address Book)40212082k+Non-prefixed global variable