WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3651 | Debug Bar | 41 | 64 | 25 | 20k+ | Output is not escaped | ||
| #3652 | Developer Loggers for Simple History | 41 | 46 | 28 | 400 | Text Domain Mismatch | ||
| #3653 | DevVN Local Store | 41 | 84 | 28 | 1k+ | Unsafe printing function | ||
| #3654 | Dinamize | 41 | 41 | 65 | 500 | Output is not escaped | ||
| #3655 | Disable Everything | 41 | 90 | 16 | 30k+ | Output is not escaped | ||
| #3656 | Disqus Conditional Load | 41 | 38 | 14 | 3k+ | Output is not escaped | ||
| #3657 | Dropdown multisite selector | 41 | 82 | 13 | 900 | Unsafe printing function | ||
| #3658 | DSGVO Youtube | 41 | 48 | 29 | 1k+ | Unsafe printing function | ||
| #3659 | Duplicate Post Page Menu & Custom Post Type | 41 | 35 | 11 | 10k+ | Text Domain Mismatch | ||
| #3660 | Duplicate Page and Post | 41 | 26 | 21 | 80k+ | Unsafe printing function | ||
| #3661 | Easy Random Quotes | 41 | 42 | 14 | 500 | Output is not escaped | ||
| #3662 | Email Address Encoder | 41 | 109 | 8 | 100k+ | wp function not compatible with requires wp | ||
| #3663 | Essential Form – The lightest plugin for contact forms, ultra lightweight and no spam | 41 | 21 | 53 | 500 | Missing nonce verification | ||
| #3664 | Payment Gateway of PayPal for WooCommerce | 41 | 44 | 184 | 7k+ | Nonce verification recommended | ||
| #3665 | Extra User Details | 41 | 84 | 15 | 1k+ | Non Singular String Literal Domain | ||
| #3666 | Fast Chat Button | 41 | 24 | 188 | 1k+ | Non-prefixed global variable | ||
| #3667 | Featured Audio | 41 | 54 | 9 | 400 | Output is not escaped | ||
| #3668 | Featured Image Generator | 41 | 31 | 16 | 1k+ | Output is not escaped | ||
| #3669 | Flexible Posts Widget | 41 | 136 | 33 | 7k+ | Output is not escaped | ||
| #3670 | Gallery Lightbox | 41 | 47 | 16 | 10k+ | Output is not escaped | ||
| #3671 | Google Authenticator | 41 | 39 | 65 | 20k+ | Output is not escaped | ||
| #3672 | (Simply) Guest Author Name | 41 | 35 | 36 | 2k+ | Output is not escaped | ||
| #3673 | SNORDIAN's H5PxAPIkatchu | 41 | 119 | 88 | 500 | SQL query is not prepared | ||
| #3674 | Hash Form – Drag & Drop Form Builder | 41 | 9 | 275 | 3k+ | Non-prefixed global variable | ||
| #3675 | Hide My Dates | 41 | 50 | 11 | 400 | Unsafe printing function | ||
| #3676 | Hide WP Admin Login | 41 | 23 | 39 | 500 | Nonce verification recommended | ||
| #3677 | Highcompress Image Compressor | 41 | 106 | 69 | 600 | Text Domain Mismatch | ||
| #3678 | iCount Payment Gateway | 41 | 153 | 22 | 500 | Text Domain Mismatch | ||
| #3679 | Import external attachments | 41 | 18 | 26 | 2k+ | Output is not escaped | ||
| #3680 | Insert JavaScript and CSS | 41 | 64 | 19 | 400 | Text Domain Mismatch | ||
| #3681 | Multiple Themes | 41 | 112 | 41 | 10k+ | Output is not escaped | ||
| #3682 | Social Sharing Plugin – Kiwi | 41 | 23 | 80 | 4k+ | Non-prefixed global variable | ||
| #3683 | Central Color Palette | 41 | 73 | 33 | 10k+ | Output is not escaped | ||
| #3684 | Lazy Load Optimizer | 41 | 63 | 26 | 3k+ | Unsafe printing function | ||
| #3685 | LH Agree to Terms | 41 | 59 | 32 | 800 | Output is not escaped | ||
| #3686 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #3687 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #3688 | Magic Liquidizer Responsive Table | 41 | 114 | 38 | 6k+ | Text Domain Mismatch | ||
| #3689 | MaxLimits – Increase Maximum Upload, Post & PHP Limits | 41 | 99 | 16 | 2k+ | Unsafe printing function | ||
| #3690 | MaxSlider | 41 | 21 | 45 | 7k+ | Output is not escaped | ||
| #3691 | Media Grid | 41 | 42 | 44 | 2k+ | Missing Arg Domain | ||
| #3692 | Mihdan: Yandex Turbo Feed | 41 | 65 | 39 | 1k+ | Output is not escaped | ||
| #3693 | Mobile Contact Bar | 41 | 94 | 36 | 10k+ | Unsafe printing function | ||
| #3694 | Mollie Forms | 41 | 14 | 565 | 3k+ | Request data is not unslashed | ||
| #3695 | MouseWheel Smooth Scroll | 41 | 104 | 7 | 100k+ | Text Domain Mismatch | ||
| #3696 | Multiple Domain | 41 | 42 | 17 | 10k+ | Output is not escaped | ||
| #3697 | My Favorites | 41 | 35 | 34 | 1k+ | Output is not escaped | ||
| #3698 | My Wp Brand – Hide menu & Hide Plugin | 41 | 74 | 50 | 2k+ | Non Singular String Literal Domain | ||
| #3699 | Native Emoji | 41 | 54 | 37 | 5k+ | Unsafe printing function | ||
| #3700 | Nepali Date Utilities | 41 | 51 | 15 | 1k+ | date date |