WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#3851iOS images fixer4222426k+Nonce verification recommended
#3852iyzico for WooCommerce42345410k+Unsafe printing function
#3853Lazy Social Comments4273101k+Unsafe printing function
#3854LeadSnap4214841k+Input is not validated
#3855LH Page Links To422538400Output is not escaped
#3856Image and Video Lightbox, Image PopUp4253151k+Output is not escaped
#3857LIQUID BLOCKS – Slider, Carousel, Accordion4250314k+Unsafe printing function
#3858Login No Captcha reCAPTCHA42452460k+Unsafe printing function
#3859Mailster Cool Captcha426528400Text Domain Mismatch
#3860Manage User Columns4215271k+Request data is not unslashed
#3861Mass Delete Unused Tags42219800Output is not escaped
#3862Message Popup For Contact Form 74230811k+Missing nonce verification
#3863Mobile CSS42597500Output is not escaped
#3864My Upload Images427448400Unsafe printing function
#3865Nav Menu Collapse4217393k+Missing nonce verification
#3866NS Remove Related Products for WooCommerce4295433k+Output is not escaped
#3867OG Tags42131342k+Non Singular String Literal Domain
#3868OnPay.io for WooCommerce42238371k+Text Domain Mismatch
#3869PageMenu4216291k+Missing nonce verification
#3870PAYDUNYA WOOCOMMERCE PAR425432600Text Domain Mismatch
#3871PDF Thumbnail Generator4226162k+Output is not escaped
#3872Polylang Theme Strings42119306k+Output is not escaped
#3873Post Types Order424543600k+wp function not compatible with requires wp
#3874WP Email Log – PostBox42281700Nonce verification recommended
#3875Posts Like Dislike42157395k+Non Singular String Literal Domain
#3876Prepare New Version4253246k+Output is not escaped
#3877Prismatic4261292k+Output is not escaped
#3878Product Price History for WooCommerce42101800Nonce verification recommended
#3879PuSHPress42116520k+Missing nonce verification
#3880reCAPTCHA for WooCommerce42803140k+Output is not escaped
#3881Rename wp-admin login4223388k+Output is not escaped
#3882Republish Old Posts4283242k+Output is not escaped
#3883WP Required Taxonomies – Categories and Tags Mandatory4243361k+Non-prefixed global variable
#3884Responsive Mortgage Calculator4238287k+Output is not escaped
#3885Reusable Blocks Extended42381520k+Output is not escaped
#3886SALERT – Fake Sales Notification WooCommerce4241678k+Non-prefixed global variable
#3887Sendcloud Shipping4278565k+Output is not escaped
#3888SEO Backlink Monitor4286105700Output is not escaped
#3889Simple Download Counter4258462k+Output is not escaped
#3890Simple Googlebot Visit4232671k+Non Singular String Literal Domain
#3891Simple Sticky Footer425716600Missing Arg Domain
#3892SMTP Mailer42514970k+Unsafe printing function
#3893Speed Contact Bar4253204k+Output is not escaped
#3894Squelch Tabs and Accordions Shortcodes4257511k+Unsafe printing function
#3895Staffer428842600Output is not escaped
#3896Starter Sites4262251k+Output is not escaped
#3897Sticky Add To Cart Bar For WooCommerce424654600Output is not escaped
#3898Sticky Floating Button (Book Now, Contact, Call To Action…)429526900Missing Arg Domain
#3899StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini4221101k+Interpolated SQL is not prepared
#3900Combine Social Photos | Still BE4233281700Non-prefixed global variable