WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4001Despacho vía Starken Pro para WooCommerce4417560400Text Domain Mismatch
#4002Checkout Upsell Funnel for WooCommerce446244600Non-prefixed global variable
#4003Code Widget4460334k+Text Domain Mismatch
#4004Coming soon and Maintenance mode4414439k+Request data is not unslashed
#4005Comment Image4419231k+Output is not escaped
#4006Creative Addons for Elementor4463100800Missing Arg Domain
#4007Currency Converter Widget443763k+Unsafe printing function
#4008Custom Dashboard Help Widget447312800Output is not escaped
#4009Cyberpret – Calculettes444117500Output is not escaped
#4010Debug Bar Console442391k+Missing Arg Domain
#4011Github Embed4418351k+Non-prefixed global variable
#4012KKiapay WooCommerce Plugin442025400Output is not escaped
#4013LearnPress – BuddyPress Integration4427251k+Output is not escaped
#4014Roles & Capabilities4424791k+Nonce verification recommended
#4015Save and Close44447400Missing nonce verification
#4016LIQUID SPEECH BALLOON44343010k+Output is not escaped
#4017Narrative Publisher4428371k+Text Domain Mismatch
#4018Notix – Web Push Notifications442241600Non-prefixed global variable
#4019Ocean Modal Window44264410k+Output is not escaped
#4020Post Grid443320830k+Non-prefixed global variable
#4021Proxy & VPN Blocker44741k+Nonce verification recommended
#4022QR Code Woocommerce4437361k+Output is not escaped
#4023Razorpay Subscriptions for WooCommerce442835600Exception output is not escaped
#4024senangpay4438461k+Text Domain Mismatch
#4025Shippit for WooCommerce4412726900Text Domain Mismatch
#4026Simple Image Widget44261910k+Unsafe printing function
#4027Simple Matomo Tracking Code442361k+Unsafe printing function
#4028SKT Addons for Elementor446113831k+Text Domain Mismatch
#4029SmartVideo – Video Player and CDN44295441k+Text Domain Mismatch
#4030Trusty Whistleblowing Solution4423416400Text Domain Mismatch
#4031Unit Price for WooCommerce44112631k+Output is not escaped
#4032User Posts Limit4482222k+Output is not escaped
#4033WCFM – WCFM Marketplace integrate Elementor4482181k+Output is not escaped
#4034Website Open/Closed Toggle441433500Output is not escaped
#4035ReCaptcha v2 for Contact Form 7441230200k+Nonce verification recommended
#4036Gateway zibal for Woocommerce4470246k+Text Domain Mismatch
#4037Ajax Archive Calendar4540181k+date date
#4038Breadcrumb – Breadcrumb for WooCommerce and Custom Post Types45310710k+Request data is not unslashed
#4039Contact Details4543291k+Non Singular String Literal Text
#4040Contact Form 7 Signature Addon45147446k+Text Domain Mismatch
#4041Cookie Law Bar4529202k+Output is not escaped
#4042Custom Error Pages455116600Output is not escaped
#4043Extended Post Status4527271k+Output is not escaped
#4044Goftino45162010k+Output is not escaped
#4045Hyper Cache45361008k+Non-prefixed global variable
#4046Icons Font Loader – Load Web Fonts and Icon Libraries4547332k+Text Domain Mismatch
#4047Evergreen Countdown Timer45193352k+wp function not compatible with requires wp
#4048JetHost Total Care – Security & Enhancements451085800Direct Query
#4049LINE Auto Post451911500Heredoc Output Not Escaped
#4050LWS Hide Login4555820k+Request data is not unslashed