WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3701 | Grid Gallery – for Photo Gallery, Image Gallery & Portfolio | 41 | 9 | 74 | 1k+ | Request data is not unslashed | ||
| #3702 | Social Login | 41 | 8 | 110 | 5k+ | Input is not sanitized | ||
| #3703 | Omnibus — show the lowest price | 41 | 35 | 37 | 10k+ | Output is not escaped | ||
| #3704 | Live Chat & AI Chatbot – onWebChat | 41 | 31 | 91 | 700 | error log error log | ||
| #3705 | Optimus – WordPress Image Optimizer | 41 | 52 | 20 | 30k+ | Unsafe printing function | ||
| #3706 | OSS Aliyun | 41 | 19 | 40 | 4k+ | Request data is not unslashed | ||
| #3707 | Page Loading Effects | 41 | 68 | 24 | 2k+ | Output is not escaped | ||
| #3708 | Page & Post Notes | 41 | 12 | 77 | 1k+ | Non-prefixed global variable | ||
| #3709 | Page Specific Menu Items | 41 | 78 | 19 | 2k+ | Output is not escaped | ||
| #3710 | Passwordless Login | 41 | 40 | 24 | 1k+ | Output is not escaped | ||
| #3711 | المنتور فارسی | 41 | 19 | 54 | 40k+ | Nonce verification recommended | ||
| #3712 | Personalize Login | 41 | 47 | 84 | 500 | Nonce verification recommended | ||
| #3713 | Phone Button | 41 | 25 | 203 | 700 | Non-prefixed global variable | ||
| #3714 | Plugin Activation Tracker | 41 | 36 | 24 | 1k+ | Text Domain Mismatch | ||
| #3715 | Pods – Custom Content Types and Fields | 41 | 5 | 233 | 100k+ | Direct Query | ||
| #3716 | Web Accessibility (formally known as Ally) – WCAG Scanning, Guided Fixes, Usability Widget | 41 | 47 | 38 | 500k+ | Output is not escaped | ||
| #3717 | Smart Post – Post Grid, Post Carousel, Post Slider Gutenberg Blocks for Blog & News | 41 | 537 | 20k+ | Non-prefixed global variable | |||
| #3718 | Post Cloner | 41 | 25 | 15 | 1k+ | Text Domain Mismatch | ||
| #3719 | Posts 2 Posts | 41 | 42 | 73 | 10k+ | Non Singular String Literal Domain | ||
| #3720 | Posts Viewed Recently | 41 | 58 | 16 | 700 | Output is not escaped | ||
| #3721 | Powie's WHOIS Domain Check | 41 | 38 | 11 | 500 | Unsafe printing function | ||
| #3722 | Preload LCP Image | 41 | 110 | 31 | 4k+ | Unsafe printing function | ||
| #3723 | Prevent Landscape Rotation | 41 | 31 | 27 | 1k+ | Output is not escaped | ||
| #3724 | Product Expiry for WooCommerce | 41 | 31 | 85 | 2k+ | Request data is not unslashed | ||
| #3725 | Simple Product Options for WooCommerce | 41 | 62 | 41 | 3k+ | Output is not escaped | ||
| #3726 | Product Questions & Answers for WooCommerce | 41 | 81 | 95 | 400 | Output is not escaped | ||
| #3727 | Variation Swatches for WooCommerce | 41 | 29 | 126 | 9k+ | Missing nonce verification | ||
| #3728 | Recurring PayPal Donations | 41 | 48 | 47 | 800 | Text Domain Mismatch | ||
| #3729 | wpSUBpages Redirect | 41 | 24 | 27 | 600 | Output is not escaped | ||
| #3730 | Responsive Lightbox | 41 | 68 | 10 | 10k+ | Output is not escaped | ||
| #3731 | Revision Control | 41 | 60 | 28 | 40k+ | Output is not escaped | ||
| #3732 | Revisionize | 41 | 54 | 24 | 4k+ | Output is not escaped | ||
| #3733 | Send link to friend | 41 | 81 | 47 | 400 | Output is not escaped | ||
| #3734 | Service Showcase | 41 | 41 | 597 | 800 | Non-prefixed global variable | ||
| #3735 | Simple 301 Redirects By BetterLinks – Easy WordPress Redirect Manager for Redirects, 404 Error Log & More | 41 | 43 | 61 | 100k+ | Request data is not unslashed | ||
| #3736 | Simple Cache | 41 | 33 | 59 | 1k+ | Input is not sanitized | ||
| #3737 | Simple CPT | 41 | 280 | 60 | 4k+ | Unsafe printing function | ||
| #3738 | Simple Like Page – Fast & Privacy-Friendly Page Embeds | 41 | 145 | 31 | 10k+ | Output is not escaped | ||
| #3739 | IP Ban | 41 | 29 | 39 | 2k+ | Input is not validated | ||
| #3740 | Simple Lightbox | 41 | 21 | 48 | 100k+ | Nonce verification recommended | ||
| #3741 | Simple Page Access Restriction | 41 | 66 | 51 | 6k+ | Unsafe printing function | ||
| #3742 | Simple Revision Control | 41 | 34 | 43 | 1k+ | Dynamic hook name | ||
| #3743 | SiteSEO – SEO Simplified | 41 | 20 | 110 | 500k+ | Nonce verification recommended | ||
| #3744 | Smart User Slug Hider | 41 | 85 | 12 | 3k+ | Output is not escaped | ||
| #3745 | Smoove connector for Elementor forms | 41 | 22 | 60 | 600 | Nonce verification recommended | ||
| #3746 | SnapScan Payment Gateway | 41 | 33 | 30 | 700 | Output is not escaped | ||
| #3747 | Masonry Widget | 41 | 58 | 11 | 500 | Output is not escaped | ||
| #3748 | SQL Chart Builder | 41 | 38 | 52 | 600 | Text Domain Mismatch | ||
| #3749 | Squeeze – Image Optimization & Compression, WEBP Conversion | 41 | 20 | 70 | 2k+ | Nonce verification recommended | ||
| #3750 | Super Testimonial – Testimonial & Customer Review Slider Plugin for WordPress | 41 | 27 | 168 | 2k+ | Request data is not unslashed |