WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3801 | 多合一搜索自动推送管理插件-支持Baidu/Google/Bing/IndexNow/Yandex/头条 | 42 | 17 | 38 | 2k+ | Input is not sanitized | ||
| #3802 | Basic SEO Pack | 42 | 86 | 8 | 700 | Output is not escaped | ||
| #3803 | Bazz CallBack widget | 42 | 55 | 28 | 3k+ | Unsafe printing function | ||
| #3804 | Block Temporary Email | 42 | 33 | 13 | 500 | Unsafe printing function | ||
| #3805 | Booking.com Official Search Box | 42 | 36 | 32 | 2k+ | Output is not escaped | ||
| #3806 | BP Auto Group Join | 42 | 55 | 55 | 700 | Output is not escaped | ||
| #3807 | Bulk Change Media Author | 42 | 25 | 20 | 2k+ | Unsafe printing function | ||
| #3808 | CCAvenue Payment Gateway for WooCommerce | 42 | 53 | 40 | 3k+ | Text Domain Mismatch | ||
| #3809 | Custom Spinner for Contact Form 7 | 42 | 36 | 11 | 1k+ | Output is not escaped | ||
| #3810 | HTML Template for CF7 | 42 | 21 | 27 | 1k+ | Non-prefixed global variable | ||
| #3811 | Change Background Color for Pages, Posts, Widgets | 42 | 35 | 7 | 500 | Text Domain Mismatch | ||
| #3812 | Chartbeat | 42 | 33 | 18 | 1k+ | Output is not escaped | ||
| #3813 | Cities Shipping Zones for WooCommerce | 42 | 94 | 44 | 4k+ | Text Domain Mismatch | ||
| #3814 | Clover Payments for WooCommerce | 42 | 25 | 15 | 2k+ | Exception output is not escaped | ||
| #3815 | Comment Blacklist Updater | 42 | 45 | 15 | 1k+ | Output is not escaped | ||
| #3816 | Comment Reply Email | 42 | 21 | 23 | 500 | Unsafe printing function | ||
| #3817 | Contact Form 7 add confirm | 42 | 31 | 51 | 50k+ | Text Domain Mismatch | ||
| #3818 | Cookie Notify | 42 | 15 | 54 | 400 | Input is not validated | ||
| #3819 | CookieHub – Cookie Consent Banner (DSGVO, CCPA, RGPD and GDPR compliance) | 42 | 33 | 49 | 3k+ | Output is not escaped | ||
| #3820 | Cronjob Scheduler | 42 | 20 | 36 | 1k+ | Input is not sanitized | ||
| #3821 | Custom Admin Page by BestWebSoft – Configurable WordPress Dashboard Pages Plugin | 42 | 472 | 181 | 400 | Text Domain Mismatch | ||
| #3822 | Custom Fields for Gutenberg | 42 | 24 | 24 | 1k+ | Output is not escaped | ||
| #3823 | Custom Login | 42 | 36 | 116 | 10k+ | Non-prefixed global variable | ||
| #3824 | Custom Taxonomy Order | 42 | 20 | 56 | 50k+ | Output is not escaped | ||
| #3825 | Dashboard Notes | 42 | 27 | 34 | 600 | Missing Arg Domain | ||
| #3826 | Dashboard Sticky Notes | 42 | 20 | 17 | 2k+ | Missing nonce verification | ||
| #3827 | Delete Expired Transients | 42 | 49 | 65 | 5k+ | Direct Query | ||
| #3828 | Disable Comments | 42 | 44 | 19 | 100k+ | Unsafe printing function | ||
| #3829 | Disable User Login | 42 | 25 | 19 | 5k+ | Unsafe printing function | ||
| #3830 | Simple HTML Sitemap | 42 | 42 | 20 | 1k+ | Text Domain Mismatch | ||
| #3831 | Storefront Online Ordering by DoorDash | 42 | 76 | 10 | 600 | Output is not escaped | ||
| #3832 | Easy Video Player | 42 | 20 | 20 | 20k+ | Output is not escaped | ||
| #3833 | Embedly | 42 | 17 | 38 | 2k+ | Output is not escaped | ||
| #3834 | Enable Classic Editor & Widgets | 42 | 106 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #3835 | Etsy Shop | 42 | 58 | 21 | 3k+ | Unsafe printing function | ||
| #3836 | Exclude Pages | 42 | 31 | 14 | 20k+ | Non Singular String Literal Domain | ||
| #3837 | FCM Push Notification from WP | 42 | 43 | 16 | 500 | Non Singular String Literal Domain | ||
| #3838 | File Media Renamer | 42 | 16 | 42 | 2k+ | Input is not sanitized | ||
| #3839 | Flexible Editor Panel for Elementor | 42 | 154 | 42 | 20k+ | Text Domain Mismatch | ||
| #3840 | FooTable | 42 | 86 | 7 | 1k+ | Output is not escaped | ||
| #3841 | FormCraft – Form Builder | 42 | 186 | 156 | 2k+ | Text Domain Mismatch | ||
| #3842 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #3843 | GA Google Analytics – Connect Google Analytics to WordPress | 42 | 46 | 30 | 400k+ | Output is not escaped | ||
| #3844 | Gelato Integration for WooCommerce | 42 | 36 | 32 | 5k+ | Output is not escaped | ||
| #3845 | Geo Blocker – Control Site Access by Region and IP | 42 | 10 | 64 | 1k+ | Direct Query | ||
| #3846 | Hide Cart Functions | 42 | 12 | 50 | 3k+ | Nonce verification recommended | ||
| #3847 | Hide Featured Image | 42 | 26 | 12 | 10k+ | Unsafe printing function | ||
| #3848 | HTML Editor Syntax Highlighter | 42 | 30 | 21 | 50k+ | Output is not escaped | ||
| #3849 | Image Uploader for Welcart | 42 | 27 | 24 | 3k+ | Output is not escaped | ||
| #3850 | WP All Import – Import SEO Settings for Rank Math SEO | 42 | 18 | 44 | 7k+ | Nonce verification recommended |