WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3551 | Unlimited Logo Carousel | 40 | 286 | 15 | 500 | Text Domain Mismatch | ||
| #3552 | Upcoming Events Lists | 40 | 75 | 17 | 900 | Text Domain Mismatch | ||
| #3553 | Url Rewrite Analyzer | 40 | 73 | 23 | 400 | Unsafe printing function | ||
| #3554 | UsersWP – ReCaptcha | 40 | 80 | 17 | 3k+ | Text Domain Mismatch | ||
| #3555 | UTM Leads Tracker – XLPlugins | 40 | 21 | 38 | 400 | Output is not escaped | ||
| #3556 | Visibility Control for LearnDash | 40 | 55 | 23 | 1k+ | Missing Arg Domain | ||
| #3557 | Visibility Control for LearnPress | 40 | 52 | 19 | 700 | Missing Arg Domain | ||
| #3558 | Visma Pay for Woocommerce | 40 | 27 | 37 | 2k+ | Output is not escaped | ||
| #3559 | Visual Builder for Contact Form 7 | 40 | 20 | 43 | 500 | Output is not escaped | ||
| #3560 | Visual Editor Custom Buttons | 40 | 30 | 48 | 4k+ | Output is not escaped | ||
| #3561 | WP Sticky Button – Click to Chat | 40 | 73 | 64 | 10k+ | Non-prefixed global variable | ||
| #3562 | Where Did You Hear About Us Checkout Field for WooCommerce | 40 | 57 | 66 | 1k+ | Output is not escaped | ||
| #3563 | WC Search Orders By Product | 40 | 47 | 66 | 800 | Nonce verification recommended | ||
| #3564 | Webo-facto | 40 | 10 | 90 | 800 | Input is not sanitized | ||
| #3565 | Weight Based Pricing for WooCommerce | 40 | 167 | 86 | 600 | Text Domain Mismatch | ||
| #3566 | Widget Builder | 40 | 40 | 52 | 500 | Non-prefixed global variable | ||
| #3567 | Widget Menuizer | 40 | 44 | 26 | 600 | Missing Arg Domain | ||
| #3568 | Widget Visibility Without Jetpack | 40 | 74 | 47 | 5k+ | Text Domain Mismatch | ||
| #3569 | Widgets Control | 40 | 92 | 47 | 800 | Output is not escaped | ||
| #3570 | Payment Gateway – nexi Alpha Bank for WooCommerce | 40 | 28 | 45 | 1k+ | Missing nonce verification | ||
| #3571 | WPC Frequently Bought Together for WooCommerce | 40 | 63 | 109 | 10k+ | Output is not escaped | ||
| #3572 | Preview E-mails for WooCommerce | 40 | 35 | 37 | 30k+ | Unsafe printing function | ||
| #3573 | NP Quote Request for WooCommerce | 40 | 91 | 145 | 9k+ | Non-prefixed global variable | ||
| #3574 | Total Sales Counts for WooCommerce | 40 | 121 | 62 | 700 | SQL query is not prepared | ||
| #3575 | yubikey-plugin | 40 | 64 | 33 | 400 | Text Domain Mismatch | ||
| #3576 | All In One SEO Pack for WooCommerce | 40 | 57 | 25 | 3k+ | Text Domain Mismatch | ||
| #3577 | Simple Registration for WooCommerce | 40 | 27 | 55 | 4k+ | Missing nonce verification | ||
| #3578 | WooSidebars | 40 | 43 | 37 | 100k+ | Missing Translators Comment | ||
| #3579 | Word Balloon | 40 | 20 | 125 | 10k+ | Request data is not unslashed | ||
| #3580 | WP Compress for MainWP | 40 | 20 | 36 | 700 | Output is not escaped | ||
| #3581 | Custom CSS/JS | 40 | 58 | 34 | 700 | Text Domain Mismatch | ||
| #3582 | WP Date and Time Shortcode | 40 | 90 | 12 | 10k+ | Output is not escaped | ||
| #3583 | WP Discord Invite | 40 | 73 | 42 | 400 | Unsafe printing function | ||
| #3584 | Easy PayPal & Stripe Buy Now Button | 40 | 388 | 96 | 10k+ | Unsafe printing function | ||
| #3585 | WP Help | 40 | 49 | 54 | 10k+ | Unsafe printing function | ||
| #3586 | WP All Import – Job Listing Import for WP Job Manager | 40 | 35 | 27 | 2k+ | Output is not escaped | ||
| #3587 | WP Keyword Suggest | 40 | 29 | 41 | 500 | Non Singular String Literal Domain | ||
| #3588 | Media Library Categories | 40 | 29 | 49 | 20k+ | Output is not escaped | ||
| #3589 | WP Meteor Website Speed Optimization Addon | 40 | 34 | 19 | 20k+ | Output is not escaped | ||
| #3590 | WP Multisite Content Copier/Updater | 40 | 19 | 144 | 800 | Interpolated SQL is not prepared | ||
| #3591 | WP Paint – WordPress Image Editor | 40 | 30 | 29 | 6k+ | Missing Arg Domain | ||
| #3592 | QR code MeCard/vCard generator | 40 | 322 | 21 | 2k+ | Unsafe printing function | ||
| #3593 | WP Reroute Email | 40 | 141 | 106 | 1k+ | Output is not escaped | ||
| #3594 | Sentry for WordPress | 40 | 80 | 40 | 10k+ | Text Domain Mismatch | ||
| #3595 | Social Share Buttons & Analytics Plugin – GetSocial.io | 40 | 97 | 25 | 2k+ | Output is not escaped | ||
| #3596 | WP Tab Widget | 40 | 128 | 32 | 10k+ | Output is not escaped | ||
| #3597 | WP Theme Test | 40 | 21 | 39 | 7k+ | Input is not sanitized | ||
| #3598 | WPC Estimated Delivery Date for WooCommerce | 40 | 13 | 106 | 10k+ | Non-prefixed global variable | ||
| #3599 | WPC Force Sells for WooCommerce | 40 | 38 | 97 | 600 | Output is not escaped | ||
| #3600 | WPC Smart Price Filter for WooCommerce | 40 | 23 | 62 | 600 | Nonce verification recommended |