WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3851 | iOS images fixer | 42 | 22 | 42 | 6k+ | Nonce verification recommended | ||
| #3852 | iyzico for WooCommerce | 42 | 34 | 54 | 10k+ | Unsafe printing function | ||
| #3853 | Lazy Social Comments | 42 | 73 | 10 | 1k+ | Unsafe printing function | ||
| #3854 | LeadSnap | 42 | 14 | 84 | 1k+ | Input is not validated | ||
| #3855 | LH Page Links To | 42 | 25 | 38 | 400 | Output is not escaped | ||
| #3856 | Image and Video Lightbox, Image PopUp | 42 | 53 | 15 | 1k+ | Output is not escaped | ||
| #3857 | LIQUID BLOCKS – Slider, Carousel, Accordion | 42 | 50 | 31 | 4k+ | Unsafe printing function | ||
| #3858 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #3859 | Mailster Cool Captcha | 42 | 65 | 28 | 400 | Text Domain Mismatch | ||
| #3860 | Manage User Columns | 42 | 15 | 27 | 1k+ | Request data is not unslashed | ||
| #3861 | Mass Delete Unused Tags | 42 | 21 | 9 | 800 | Output is not escaped | ||
| #3862 | Message Popup For Contact Form 7 | 42 | 30 | 81 | 1k+ | Missing nonce verification | ||
| #3863 | Mobile CSS | 42 | 59 | 7 | 500 | Output is not escaped | ||
| #3864 | My Upload Images | 42 | 74 | 48 | 400 | Unsafe printing function | ||
| #3865 | Nav Menu Collapse | 42 | 17 | 39 | 3k+ | Missing nonce verification | ||
| #3866 | NS Remove Related Products for WooCommerce | 42 | 95 | 43 | 3k+ | Output is not escaped | ||
| #3867 | OG Tags | 42 | 131 | 34 | 2k+ | Non Singular String Literal Domain | ||
| #3868 | OnPay.io for WooCommerce | 42 | 238 | 37 | 1k+ | Text Domain Mismatch | ||
| #3869 | PageMenu | 42 | 16 | 29 | 1k+ | Missing nonce verification | ||
| #3870 | PAYDUNYA WOOCOMMERCE PAR | 42 | 54 | 32 | 600 | Text Domain Mismatch | ||
| #3871 | PDF Thumbnail Generator | 42 | 26 | 16 | 2k+ | Output is not escaped | ||
| #3872 | Polylang Theme Strings | 42 | 119 | 30 | 6k+ | Output is not escaped | ||
| #3873 | Post Types Order | 42 | 45 | 43 | 600k+ | wp function not compatible with requires wp | ||
| #3874 | WP Email Log – PostBox | 42 | 2 | 81 | 700 | Nonce verification recommended | ||
| #3875 | Posts Like Dislike | 42 | 157 | 39 | 5k+ | Non Singular String Literal Domain | ||
| #3876 | Prepare New Version | 42 | 53 | 24 | 6k+ | Output is not escaped | ||
| #3877 | Prismatic | 42 | 61 | 29 | 2k+ | Output is not escaped | ||
| #3878 | Product Price History for WooCommerce | 42 | 101 | 800 | Nonce verification recommended | |||
| #3879 | PuSHPress | 42 | 11 | 65 | 20k+ | Missing nonce verification | ||
| #3880 | reCAPTCHA for WooCommerce | 42 | 80 | 31 | 40k+ | Output is not escaped | ||
| #3881 | Rename wp-admin login | 42 | 23 | 38 | 8k+ | Output is not escaped | ||
| #3882 | Republish Old Posts | 42 | 83 | 24 | 2k+ | Output is not escaped | ||
| #3883 | WP Required Taxonomies – Categories and Tags Mandatory | 42 | 43 | 36 | 1k+ | Non-prefixed global variable | ||
| #3884 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output is not escaped | ||
| #3885 | Reusable Blocks Extended | 42 | 38 | 15 | 20k+ | Output is not escaped | ||
| #3886 | SALERT – Fake Sales Notification WooCommerce | 42 | 41 | 67 | 8k+ | Non-prefixed global variable | ||
| #3887 | Sendcloud Shipping | 42 | 78 | 56 | 5k+ | Output is not escaped | ||
| #3888 | SEO Backlink Monitor | 42 | 86 | 105 | 700 | Output is not escaped | ||
| #3889 | Simple Download Counter | 42 | 58 | 46 | 2k+ | Output is not escaped | ||
| #3890 | Simple Googlebot Visit | 42 | 32 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #3891 | Simple Sticky Footer | 42 | 57 | 16 | 600 | Missing Arg Domain | ||
| #3892 | SMTP Mailer | 42 | 51 | 49 | 70k+ | Unsafe printing function | ||
| #3893 | Speed Contact Bar | 42 | 53 | 20 | 4k+ | Output is not escaped | ||
| #3894 | Squelch Tabs and Accordions Shortcodes | 42 | 57 | 51 | 1k+ | Unsafe printing function | ||
| #3895 | Staffer | 42 | 88 | 42 | 600 | Output is not escaped | ||
| #3896 | Starter Sites | 42 | 62 | 25 | 1k+ | Output is not escaped | ||
| #3897 | Sticky Add To Cart Bar For WooCommerce | 42 | 46 | 54 | 600 | Output is not escaped | ||
| #3898 | Sticky Floating Button (Book Now, Contact, Call To Action…) | 42 | 95 | 26 | 900 | Missing Arg Domain | ||
| #3899 | StifLi Flex MCP – MCP Server with undo for ChatGPT, Claude & Gemini | 42 | 2 | 110 | 1k+ | Interpolated SQL is not prepared | ||
| #3900 | Combine Social Photos | Still BE | 42 | 33 | 281 | 700 | Non-prefixed global variable |