WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3601 | WPFront Notification Bar | 40 | 222 | 44 | 50k+ | Output is not escaped | ||
| #3602 | XLTab – Accordions and Tabs for Elementor Page Builder | 40 | 317 | 65 | 1k+ | Text Domain Mismatch | ||
| #3603 | Yektanet Ecommerce | 40 | 45 | 103 | 900 | Request data is not unslashed | ||
| #3604 | My YouTube Channel | 40 | 54 | 38 | 5k+ | Output is not escaped | ||
| #3605 | Zippy | 40 | 43 | 31 | 9k+ | Output is not escaped | ||
| #3606 | AMP for WP – Accelerated Mobile Pages | 41 | 656 | 2,401 | 80k+ | Non-prefixed global variable | ||
| #3607 | Ad Auto Insert H | 41 | 496 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3608 | Add-on Contact Form 7 – MailPoet 3 | 41 | 88 | 12 | 3k+ | Output is not escaped | ||
| #3609 | AddQuicktag | 41 | 86 | 10 | 100k+ | Output is not escaped | ||
| #3610 | Advance Bank Payment Transfer Gateway | 41 | 105 | 62 | 1k+ | Text Domain Mismatch | ||
| #3611 | Advanced Excerpt | 41 | 69 | 43 | 70k+ | Unsafe printing function | ||
| #3612 | AffiliateWP – Affiliate Product Rates | 41 | 84 | 24 | 2k+ | Output is not escaped | ||
| #3613 | Age Verify | 41 | 29 | 31 | 1k+ | Output is not escaped | ||
| #3614 | AH Display Widgets | 41 | 52 | 16 | 8k+ | Text Domain Mismatch | ||
| #3615 | Schema – All In One Schema Rich Snippets | 41 | 598 | 180 | 30k+ | Text Domain Mismatch | ||
| #3616 | Alma – Pay in installments or later for WooCommerce | 41 | 116 | 68 | 1k+ | Exception output is not escaped | ||
| #3617 | Amazon Link Engine | 41 | 38 | 17 | 2k+ | Output is not escaped | ||
| #3618 | Amazon Web Services | 41 | 53 | 21 | 5k+ | Missing Translators Comment | ||
| #3619 | Announcer – Sticky Message Banner & Notification Bar | 41 | 110 | 27 | 10k+ | Output is not escaped | ||
| #3620 | Antispam | 41 | 11 | 41 | 400 | Missing nonce verification | ||
| #3621 | Authenticator | 41 | 59 | 44 | 1k+ | Output is not escaped | ||
| #3622 | Auto Focus Keyword for SEO | 41 | 12 | 38 | 2k+ | Input is not validated | ||
| #3623 | Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO) | 41 | 175 | 26 | 100k+ | Unsafe printing function | ||
| #3624 | Autocomplete Google Address | 41 | 21 | 67 | 2k+ | Nonce verification recommended | ||
| #3625 | Avatar Manager | 41 | 29 | 41 | 5k+ | Unsafe printing function | ||
| #3626 | Beam me up Scotty – Back to Top Button | 41 | 71 | 38 | 1k+ | Output is not escaped | ||
| #3627 | Beautiful Cookie Consent Banner | 41 | 33 | 76 | 40k+ | Non-prefixed global variable | ||
| #3628 | Book Now | 41 | 75 | 14 | 1k+ | Output is not escaped | ||
| #3629 | Bop Search Box Item Type For Nav Menus | 41 | 52 | 14 | 1k+ | Output is not escaped | ||
| #3630 | BuddyPress Xprofile Custom Field Types | 41 | 39 | 189 | 4k+ | Missing nonce verification | ||
| #3631 | BuddyPress Edit Activity | 41 | 28 | 26 | 800 | Output is not escaped | ||
| #3632 | Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO) | 41 | 16 | 37 | 1k+ | Missing nonce verification | ||
| #3633 | Bulk Images to Posts | 41 | 55 | 5 | 1k+ | Unsafe printing function | ||
| #3634 | Cache control by Cacholong | 41 | 87 | 30 | 500 | Non Singular String Literal Domain | ||
| #3635 | Carbon Copy | 41 | 64 | 89 | 3k+ | Text Domain Mismatch | ||
| #3636 | Easy Social Like Box – Popup – Sidebar Widget | 41 | 218 | 91 | 7k+ | Text Domain Mismatch | ||
| #3637 | Categorized Tag Cloud | 41 | 44 | 17 | 1k+ | Output is not escaped | ||
| #3638 | Conditional Fields for Contact Form 7 | 41 | 113 | 52 | 100k+ | Output is not escaped | ||
| #3639 | CF7 Invisible reCAPTCHA | 41 | 19 | 52 | 7k+ | Request data is not unslashed | ||
| #3640 | Submission DOM tracking for Contact Form 7 | 41 | 144 | 8 | 400 | Text Domain Mismatch | ||
| #3641 | ChatBot Conversational AI Support | 41 | 72 | 32 | 1k+ | Short PHP open tag found | ||
| #3642 | Checklist | 41 | 62 | 25 | 400 | Text Domain Mismatch | ||
| #3643 | clickskeks.at Cookiebanner | 41 | 21 | 18 | 500 | Unsafe printing function | ||
| #3644 | CloudGuard | 41 | 41 | 13 | 1k+ | Output is not escaped | ||
| #3645 | CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree | 41 | 121 | 96 | 50k+ | Unsafe printing function | ||
| #3646 | CoinPayments.net Payment Gateway for WooCommerce | 41 | 51 | 32 | 1k+ | Text Domain Mismatch | ||
| #3647 | Colorful Categories | 41 | 20 | 20 | 2k+ | Output is not escaped | ||
| #3648 | Comments Like Dislike | 41 | 172 | 20 | 5k+ | Non Singular String Literal Domain | ||
| #3649 | Contact Form 7 Captcha | 41 | 7 | 75 | 100k+ | Request data is not unslashed | ||
| #3650 | Content Widget | 41 | 72 | 9 | 400 | Output is not escaped |