WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3901 | Ultimate Category Excluder | 42 | 22 | 26 | 50k+ | Missing nonce verification | ||
| #3902 | Ultimate Coming Soon Page, Maintenance Mode & Under Construction – Gutenberg Block Builder & Landing Page | 42 | 15 | 89 | 9k+ | Non-prefixed global variable | ||
| #3903 | UniConsent Cookie Consent CMP – Consent Manager | 42 | 148 | 18 | 1k+ | Unsafe printing function | ||
| #3904 | UPI QR Code Payment Gateway | 42 | 179 | 28 | 1k+ | Text Domain Mismatch | ||
| #3905 | Usermaven | 42 | 36 | 77 | 1k+ | Request data is not unslashed | ||
| #3906 | Vast Demo Import | 42 | 180 | 113 | 600 | Text Domain Mismatch | ||
| #3907 | WC Speed Repair | 42 | 34 | 74 | 1k+ | Non-prefixed global variable | ||
| #3908 | WebPlanex: GST Invoice India | 42 | 63 | 63 | 400 | Text Domain Mismatch | ||
| #3909 | Widget Visibility Time Scheduler | 42 | 70 | 34 | 1k+ | Output is not escaped | ||
| #3910 | Auto Coupons for WooCommerce | 42 | 82 | 68 | 4k+ | Output is not escaped | ||
| #3911 | WPC Order Notes for WooCommerce | 42 | 24 | 41 | 900 | Output is not escaped | ||
| #3912 | TT Extra Fee Option for WooCommerce | 42 | 37 | 19 | 1k+ | Output is not escaped | ||
| #3913 | Dynamic Remarketing for Google Ads and WooCommerce | 42 | 32 | 15 | 2k+ | Output is not escaped | ||
| #3914 | WP Author Security | 42 | 40 | 13 | 500 | Output is not escaped | ||
| #3915 | WP Child Theme Generator | 42 | 35 | 66 | 20k+ | Request data is not unslashed | ||
| #3916 | WP Content Copy Protection & No Right Click | 42 | 126 | 135 | 100k+ | Unsafe printing function | ||
| #3917 | WP Cron Cleaner | 42 | 51 | 38 | 500 | Unsafe printing function | ||
| #3918 | WP Media Category Management | 42 | 10 | 176 | 6k+ | Nonce verification recommended | ||
| #3919 | WP Post Redirect | 42 | 29 | 17 | 3k+ | Unsafe printing function | ||
| #3920 | WP QuickLaTeX | 42 | 41 | 60 | 4k+ | Non-prefixed global variable | ||
| #3921 | WP Responsive Table | 42 | 42 | 10 | 6k+ | Output is not escaped | ||
| #3922 | WPB Custom Tab Manager for WooCommerce – Add, Edit & Reorder Tabs | 42 | 95 | 32 | 500 | Output is not escaped | ||
| #3923 | WPTerm | 42 | 61 | 89 | 3k+ | Output is not escaped | ||
| #3924 | Yandex.Metrika | 42 | 15 | 20 | 900 | Unsafe printing function | ||
| #3925 | Zotpress | 42 | 10 | 403 | 2k+ | Non-prefixed global variable | ||
| #3926 | AddFunc Head & Footer Code | 43 | 28 | 18 | 20k+ | Output is not escaped | ||
| #3927 | Admin Custom Login | 43 | 238 | 20k+ | Request data is not unslashed | |||
| #3928 | Admin Menu Tree Page View | 43 | 17 | 69 | 10k+ | Nonce verification recommended | ||
| #3929 | Advanced FAQ Manager | 43 | 8 | 59 | 2k+ | Input is not sanitized | ||
| #3930 | Advanced TinyMCE Configuration | 43 | 99 | 8 | 10k+ | Text Domain Mismatch | ||
| #3931 | AdWords Conversion Tracking Code | 43 | 26 | 25 | 1k+ | Non Singular String Literal Domain | ||
| #3932 | Schema – All In One Schema Rich Snippets | 43 | 601 | 188 | 30k+ | Text Domain Mismatch | ||
| #3933 | Animation Builder – An interface for adding scroll-triggered animations | 43 | 7 | 67 | 800 | Missing Version | ||
| #3934 | Anonymous Restricted Content | 43 | 22 | 24 | 1k+ | Unsafe printing function | ||
| #3935 | Anti-spam Reloaded | 43 | 19 | 19 | 2k+ | Output is not escaped | ||
| #3936 | Auto Alt Text | 43 | 52 | 13 | 4k+ | Exception output is not escaped | ||
| #3937 | BMI Adult & Kid Calculator | 43 | 33 | 138 | 700 | Request data is not unslashed | ||
| #3938 | Category Editor | 43 | 54 | 18 | 8k+ | Unsafe printing function | ||
| #3939 | Charla Live Chat | 43 | 33 | 13 | 500 | Output is not escaped | ||
| #3940 | Click to Call or Chat Buttons | 43 | 47 | 6 | 1k+ | Output is not escaped | ||
| #3941 | Comment Reply Email Notification | 43 | 44 | 19 | 3k+ | Output is not escaped | ||
| #3942 | Simple Mortgage Calculator | 43 | 67 | 3 | 1k+ | Text Domain Mismatch | ||
| #3943 | Custom Menu | 43 | 83 | 11 | 400 | wp function not compatible with requires wp | ||
| #3944 | Customize Login Image | 43 | 32 | 9 | 3k+ | Unsafe printing function | ||
| #3945 | Customize Snapshots | 43 | 9 | 42 | 500 | Nonce verification recommended | ||
| #3946 | Database Addon For WPForms ( wpforms entries ) – WPFormsDB | 43 | 17 | 53 | 20k+ | Nonce verification recommended | ||
| #3947 | Directorist – WPML Integration | 43 | 10 | 134 | 400 | Non-prefixed hook name | ||
| #3948 | Disable Gutenberg | 43 | 23 | 47 | 500k+ | Nonce verification recommended | ||
| #3949 | Disable WP Notification | 43 | 74 | 25 | 10k+ | Output is not escaped | ||
| #3950 | Easy PayPal Shopping Cart | 43 | 19 | 40 | 1k+ | Input is not sanitized |