WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3601WPFront Notification Bar402224450k+Output is not escaped
#3602XLTab – Accordions and Tabs for Elementor Page Builder40317651k+Text Domain Mismatch
#3603Yektanet Ecommerce4045103900Request data is not unslashed
#3604My YouTube Channel4054385k+Output is not escaped
#3605Zippy4043319k+Output is not escaped
#3606AMP for WP – Accelerated Mobile Pages416562,40180k+Non-prefixed global variable
#3607Ad Auto Insert H41496151k+Non Singular String Literal Domain
#3608Add-on Contact Form 7 – MailPoet 34188123k+Output is not escaped
#3609AddQuicktag418610100k+Output is not escaped
#3610Advance Bank Payment Transfer Gateway41105621k+Text Domain Mismatch
#3611Advanced Excerpt41694370k+Unsafe printing function
#3612AffiliateWP – Affiliate Product Rates4184242k+Output is not escaped
#3613Age Verify4129311k+Output is not escaped
#3614AH Display Widgets4152168k+Text Domain Mismatch
#3615Schema – All In One Schema Rich Snippets4159818030k+Text Domain Mismatch
#3616Alma – Pay in installments or later for WooCommerce41116681k+Exception output is not escaped
#3617Amazon Link Engine4138172k+Output is not escaped
#3618Amazon Web Services4153215k+Missing Translators Comment
#3619Announcer – Sticky Message Banner & Notification Bar411102710k+Output is not escaped
#3620Antispam411141400Missing nonce verification
#3621Authenticator4159441k+Output is not escaped
#3622Auto Focus Keyword for SEO4112382k+Input is not validated
#3623Auto Image Attributes From Filename With Bulk Updater (Add Alt Text, Image Title For Image SEO)4117526100k+Unsafe printing function
#3624Autocomplete Google Address4121672k+Nonce verification recommended
#3625Avatar Manager4129415k+Unsafe printing function
#3626Beam me up Scotty – Back to Top Button4171381k+Output is not escaped
#3627Beautiful Cookie Consent Banner41337640k+Non-prefixed global variable
#3628Book Now4175141k+Output is not escaped
#3629Bop Search Box Item Type For Nav Menus4152141k+Output is not escaped
#3630BuddyPress Xprofile Custom Field Types41391894k+Missing nonce verification
#3631BuddyPress Edit Activity412826800Output is not escaped
#3632Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO)4116371k+Missing nonce verification
#3633Bulk Images to Posts415551k+Unsafe printing function
#3634Cache control by Cacholong418730500Non Singular String Literal Domain
#3635Carbon Copy4164893k+Text Domain Mismatch
#3636Easy Social Like Box – Popup – Sidebar Widget41218917k+Text Domain Mismatch
#3637Categorized Tag Cloud4144171k+Output is not escaped
#3638Conditional Fields for Contact Form 74111352100k+Output is not escaped
#3639CF7 Invisible reCAPTCHA4119527k+Request data is not unslashed
#3640Submission DOM tracking for Contact Form 7411448400Text Domain Mismatch
#3641ChatBot Conversational AI Support4172321k+Short PHP open tag found
#3642Checklist416225400Text Domain Mismatch
#3643clickskeks.at Cookiebanner412118500Unsafe printing function
#3644CloudGuard4141131k+Output is not escaped
#3645CMS Tree Page View – Reorder Pages with a Drag-and-Drop Tree411219650k+Unsafe printing function
#3646CoinPayments.net Payment Gateway for WooCommerce4151321k+Text Domain Mismatch
#3647Colorful Categories4120202k+Output is not escaped
#3648Comments Like Dislike41172205k+Non Singular String Literal Domain
#3649Contact Form 7 Captcha41775100k+Request data is not unslashed
#3650Content Widget41729400Output is not escaped