WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4001 | Despacho vía Starken Pro para WooCommerce | 44 | 175 | 60 | 400 | Text Domain Mismatch | ||
| #4002 | Checkout Upsell Funnel for WooCommerce | 44 | 6 | 244 | 600 | Non-prefixed global variable | ||
| #4003 | Code Widget | 44 | 60 | 33 | 4k+ | Text Domain Mismatch | ||
| #4004 | Coming soon and Maintenance mode | 44 | 14 | 43 | 9k+ | Request data is not unslashed | ||
| #4005 | Comment Image | 44 | 19 | 23 | 1k+ | Output is not escaped | ||
| #4006 | Creative Addons for Elementor | 44 | 63 | 100 | 800 | Missing Arg Domain | ||
| #4007 | Currency Converter Widget | 44 | 37 | 6 | 3k+ | Unsafe printing function | ||
| #4008 | Custom Dashboard Help Widget | 44 | 73 | 12 | 800 | Output is not escaped | ||
| #4009 | Cyberpret – Calculettes | 44 | 41 | 17 | 500 | Output is not escaped | ||
| #4010 | Debug Bar Console | 44 | 23 | 9 | 1k+ | Missing Arg Domain | ||
| #4011 | Github Embed | 44 | 18 | 35 | 1k+ | Non-prefixed global variable | ||
| #4012 | KKiapay WooCommerce Plugin | 44 | 20 | 25 | 400 | Output is not escaped | ||
| #4013 | LearnPress – BuddyPress Integration | 44 | 27 | 25 | 1k+ | Output is not escaped | ||
| #4014 | Roles & Capabilities | 44 | 24 | 79 | 1k+ | Nonce verification recommended | ||
| #4015 | Save and Close | 44 | 4 | 47 | 400 | Missing nonce verification | ||
| #4016 | LIQUID SPEECH BALLOON | 44 | 34 | 30 | 10k+ | Output is not escaped | ||
| #4017 | Narrative Publisher | 44 | 28 | 37 | 1k+ | Text Domain Mismatch | ||
| #4018 | Notix – Web Push Notifications | 44 | 22 | 41 | 600 | Non-prefixed global variable | ||
| #4019 | Ocean Modal Window | 44 | 26 | 44 | 10k+ | Output is not escaped | ||
| #4020 | Post Grid | 44 | 33 | 208 | 30k+ | Non-prefixed global variable | ||
| #4021 | Proxy & VPN Blocker | 44 | 74 | 1k+ | Nonce verification recommended | |||
| #4022 | QR Code Woocommerce | 44 | 37 | 36 | 1k+ | Output is not escaped | ||
| #4023 | Razorpay Subscriptions for WooCommerce | 44 | 28 | 35 | 600 | Exception output is not escaped | ||
| #4024 | senangpay | 44 | 38 | 46 | 1k+ | Text Domain Mismatch | ||
| #4025 | Shippit for WooCommerce | 44 | 127 | 26 | 900 | Text Domain Mismatch | ||
| #4026 | Simple Image Widget | 44 | 26 | 19 | 10k+ | Unsafe printing function | ||
| #4027 | Simple Matomo Tracking Code | 44 | 23 | 6 | 1k+ | Unsafe printing function | ||
| #4028 | SKT Addons for Elementor | 44 | 611 | 383 | 1k+ | Text Domain Mismatch | ||
| #4029 | SmartVideo – Video Player and CDN | 44 | 295 | 44 | 1k+ | Text Domain Mismatch | ||
| #4030 | Trusty Whistleblowing Solution | 44 | 234 | 16 | 400 | Text Domain Mismatch | ||
| #4031 | Unit Price for WooCommerce | 44 | 112 | 63 | 1k+ | Output is not escaped | ||
| #4032 | User Posts Limit | 44 | 82 | 22 | 2k+ | Output is not escaped | ||
| #4033 | WCFM – WCFM Marketplace integrate Elementor | 44 | 82 | 18 | 1k+ | Output is not escaped | ||
| #4034 | Website Open/Closed Toggle | 44 | 14 | 33 | 500 | Output is not escaped | ||
| #4035 | ReCaptcha v2 for Contact Form 7 | 44 | 12 | 30 | 200k+ | Nonce verification recommended | ||
| #4036 | Gateway zibal for Woocommerce | 44 | 70 | 24 | 6k+ | Text Domain Mismatch | ||
| #4037 | Ajax Archive Calendar | 45 | 40 | 18 | 1k+ | date date | ||
| #4038 | Breadcrumb – Breadcrumb for WooCommerce and Custom Post Types | 45 | 3 | 107 | 10k+ | Request data is not unslashed | ||
| #4039 | Contact Details | 45 | 43 | 29 | 1k+ | Non Singular String Literal Text | ||
| #4040 | Contact Form 7 Signature Addon | 45 | 147 | 44 | 6k+ | Text Domain Mismatch | ||
| #4041 | Cookie Law Bar | 45 | 29 | 20 | 2k+ | Output is not escaped | ||
| #4042 | Custom Error Pages | 45 | 51 | 16 | 600 | Output is not escaped | ||
| #4043 | Extended Post Status | 45 | 27 | 27 | 1k+ | Output is not escaped | ||
| #4044 | Goftino | 45 | 16 | 20 | 10k+ | Output is not escaped | ||
| #4045 | Hyper Cache | 45 | 36 | 100 | 8k+ | Non-prefixed global variable | ||
| #4046 | Icons Font Loader – Load Web Fonts and Icon Libraries | 45 | 47 | 33 | 2k+ | Text Domain Mismatch | ||
| #4047 | Evergreen Countdown Timer | 45 | 193 | 35 | 2k+ | wp function not compatible with requires wp | ||
| #4048 | JetHost Total Care – Security & Enhancements | 45 | 10 | 85 | 800 | Direct Query | ||
| #4049 | LINE Auto Post | 45 | 19 | 11 | 500 | Heredoc Output Not Escaped | ||
| #4050 | LWS Hide Login | 45 | 5 | 58 | 20k+ | Request data is not unslashed |