WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3651Debug Bar41642520k+Output is not escaped
#3652Developer Loggers for Simple History414628400Text Domain Mismatch
#3653DevVN Local Store4184281k+Unsafe printing function
#3654Dinamize414165500Output is not escaped
#3655Disable Everything41901630k+Output is not escaped
#3656Disqus Conditional Load4138143k+Output is not escaped
#3657Dropdown multisite selector418213900Unsafe printing function
#3658DSGVO Youtube4148291k+Unsafe printing function
#3659Duplicate Post Page Menu & Custom Post Type41351110k+Text Domain Mismatch
#3660Duplicate Page and Post41262180k+Unsafe printing function
#3661Easy Random Quotes414214500Output is not escaped
#3662Email Address Encoder411098100k+wp function not compatible with requires wp
#3663Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam412153500Missing nonce verification
#3664Payment Gateway of PayPal for WooCommerce41441847k+Nonce verification recommended
#3665Extra User Details4184151k+Non Singular String Literal Domain
#3666Fast Chat Button41241881k+Non-prefixed global variable
#3667Featured Audio41549400Output is not escaped
#3668Featured Image Generator4131161k+Output is not escaped
#3669Flexible Posts Widget41136337k+Output is not escaped
#3670Gallery Lightbox41471610k+Output is not escaped
#3671Google Authenticator41396520k+Output is not escaped
#3672(Simply) Guest Author Name4135362k+Output is not escaped
#3673SNORDIAN's H5PxAPIkatchu4111988500SQL query is not prepared
#3674Hash Form – Drag & Drop Form Builder4192753k+Non-prefixed global variable
#3675Hide My Dates415011400Unsafe printing function
#3676Hide WP Admin Login412339500Nonce verification recommended
#3677Highcompress Image Compressor4110669600Text Domain Mismatch
#3678iCount Payment Gateway4115322500Text Domain Mismatch
#3679Import external attachments4118262k+Output is not escaped
#3680Insert JavaScript and CSS416419400Text Domain Mismatch
#3681Multiple Themes411124110k+Output is not escaped
#3682Social Sharing Plugin – Kiwi4123804k+Non-prefixed global variable
#3683Central Color Palette41733310k+Output is not escaped
#3684Lazy Load Optimizer4163263k+Unsafe printing function
#3685LH Agree to Terms415932800Output is not escaped
#3686Lockdown WP Admin41205010k+Request data is not unslashed
#3687Log cleaner for Solid Security4165478k+Text Domain Mismatch
#3688Magic Liquidizer Responsive Table41114386k+Text Domain Mismatch
#3689MaxLimits – Increase Maximum Upload, Post & PHP Limits4199162k+Unsafe printing function
#3690MaxSlider4121457k+Output is not escaped
#3691Media Grid4142442k+Missing Arg Domain
#3692Mihdan: Yandex Turbo Feed4165391k+Output is not escaped
#3693Mobile Contact Bar41943610k+Unsafe printing function
#3694Mollie Forms41145653k+Request data is not unslashed
#3695MouseWheel Smooth Scroll411047100k+Text Domain Mismatch
#3696Multiple Domain41421710k+Output is not escaped
#3697My Favorites4135341k+Output is not escaped
#3698My Wp Brand – Hide menu & Hide Plugin4174502k+Non Singular String Literal Domain
#3699Native Emoji4154375k+Unsafe printing function
#3700Nepali Date Utilities4151151k+date date