WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #3951 | Easy PayPal Shopping Cart | 43 | 19 | 40 | 1k+ | Input is not sanitized | ||
| #3952 | Email Notification on Login | 43 | 33 | 7 | 1k+ | Unsafe printing function | ||
| #3953 | F4 Total Stock Value for WooCommerce | 43 | 27 | 12 | 1k+ | Output is not escaped | ||
| #3954 | Floating Awesome Button (Sticky Button, Popup, Toast) & 200+ Website Custom Interactive Element | 43 | 66 | 109 | 800 | Missing direct file access protection | ||
| #3955 | GD bbPress Tools | 43 | 15 | 61 | 1k+ | Input is not sanitized | ||
| #3956 | Per User Prompt for Google Authenticator | 43 | 8 | 52 | 400 | Nonce verification recommended | ||
| #3957 | Event Tracking for Gravity Forms | 43 | 34 | 25 | 20k+ | rand mt rand | ||
| #3958 | Insert Blocks Before or After Posts Content | 43 | 42 | 15 | 1k+ | Output is not escaped | ||
| #3959 | Linker – URL shortener & track outbound link clicks | 43 | 17 | 17 | 2k+ | Output is not escaped | ||
| #3960 | Logo Slider WP – Responsive Logo Carousel, Logo Gallery & Logo Showcase | 43 | 22 | 255 | 10k+ | Non-prefixed global variable | ||
| #3961 | Make Tables Responsive | 43 | 31 | 102 | 6k+ | Input is not validated | ||
| #3962 | MembershipWorks Login Connector | 43 | 28 | 81 | 800 | Request data is not unslashed | ||
| #3963 | Opal Woo Custom Product Variation | 43 | 1 | 116 | 400 | Non-prefixed global variable | ||
| #3964 | Page Transition | 43 | 39 | 30 | 700 | Output is not escaped | ||
| #3965 | Pods Gravity Forms Add-On | 43 | 79 | 1k+ | Missing nonce verification | |||
| #3966 | Purchase Orders for WooCommerce | 43 | 117 | 74 | 1k+ | Text Domain Mismatch | ||
| #3967 | reCAPTCHA for MW WP Form | 43 | 37 | 14 | 30k+ | Non Singular String Literal Domain | ||
| #3968 | Redirect List | 43 | 34 | 22 | 1k+ | Output is not escaped | ||
| #3969 | Reoon Email Verifier | 43 | 22 | 38 | 600 | Missing nonce verification | ||
| #3970 | Rut Chileno con Validación para WooCommerce | 43 | 35 | 16 | 1k+ | Text Domain Mismatch | ||
| #3971 | Simple Revisions Delete | 43 | 16 | 26 | 10k+ | Output is not escaped | ||
| #3972 | Simple Shipping Labels for WooCommerce | 43 | 78 | 12 | 1k+ | Output is not escaped | ||
| #3973 | Simple Side Tab | 43 | 28 | 17 | 10k+ | Unsafe printing function | ||
| #3974 | Sinbyte Indexer | 43 | 61 | 19 | 2k+ | Text Domain Mismatch | ||
| #3975 | Smart App Banner | 43 | 47 | 49 | 600 | Output is not escaped | ||
| #3976 | Snazzy Maps | 43 | 9 | 62 | 30k+ | Request data is not unslashed | ||
| #3977 | Team Builder Member Showcase | 43 | 14 | 127 | 1k+ | Non-prefixed global variable | ||
| #3978 | Term Management Tools | 43 | 9 | 26 | 10k+ | Non-prefixed hook name | ||
| #3979 | Terms Order WP – Categories And Taxonomies Order Plugin | 43 | 12 | 47 | 900 | Non-prefixed global variable | ||
| #3980 | Theme Switcha – Easily Switch Themes for Development and Testing | 43 | 42 | 53 | 7k+ | Output is not escaped | ||
| #3981 | Theme Test Drive | 43 | 39 | 16 | 7k+ | Output is not escaped | ||
| #3982 | Uber reCaptcha | 43 | 129 | 45 | 1k+ | Text Domain Mismatch | ||
| #3983 | UPI QR Code Payment Gateway for WooCommerce | 43 | 42 | 28 | 20k+ | Output is not escaped | ||
| #3984 | User role based shipping methods | 43 | 53 | 7 | 400 | Output is not escaped | ||
| #3985 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #3986 | User Session Control | 43 | 31 | 21 | 700 | Output is not escaped | ||
| #3987 | VA Simple Expires | 43 | 25 | 31 | 800 | Output is not escaped | ||
| #3988 | Sovrn | 43 | 9 | 29 | 1k+ | Input is not sanitized | ||
| #3989 | WIP Custom Login | 43 | 21 | 37 | 700 | Nonce verification recommended | ||
| #3990 | Checkout Field Manager (Checkout Manager) for WooCommerce | 43 | 161 | 154 | 80k+ | Non-prefixed global variable | ||
| #3991 | WP Extra File Types | 43 | 11 | 26 | 40k+ | Request data is not unslashed | ||
| #3992 | WP Hotel Booking Stripe Payment | 43 | 34 | 29 | 400 | Text Domain Mismatch | ||
| #3993 | WP Hotel Booking WPML Support | 43 | 10 | 52 | 400 | Direct Query | ||
| #3994 | WP SmartCrop | 43 | 43 | 12 | 4k+ | Output is not escaped | ||
| #3995 | Active Campaign & Contact Form 7 | 43 | 40 | 27 | 3k+ | Output is not escaped | ||
| #3996 | Admin login URL Change | 44 | 38 | 11 | 2k+ | Output is not escaped | ||
| #3997 | Advanced Custom Fields: oEmbed Field | 44 | 36 | 13 | 1k+ | Text Domain Mismatch | ||
| #3998 | Advanced Dynamic Pricing and Discount Rules for WooCommerce | 44 | 2 | 813 | 20k+ | Non-prefixed namespace | ||
| #3999 | BBQ Firewall – Fast & Powerful Firewall Security | 44 | 17 | 17 | 100k+ | Output is not escaped | ||
| #4000 | Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button | 44 | 24 | 71 | 50k+ | Non-prefixed constant |