WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4051 | New Order Notification for WooCommerce | 45 | 21 | 42 | 900 | Output is not escaped | ||
| #4052 | Passwords Evolved | 45 | 26 | 17 | 1k+ | Output is not escaped | ||
| #4053 | Post Date Randomizer | 45 | 42 | 6 | 9k+ | Unsafe printing function | ||
| #4054 | Product Visibility by User Role for WooCommerce | 45 | 36 | 35 | 6k+ | Missing Translators Comment | ||
| #4055 | Quick Interest Slider | 45 | 1 | 46 | 1k+ | Missing nonce verification | ||
| #4056 | reCAPTCHA for Asgaros Forum | 45 | 21 | 36 | 4k+ | Input is not validated | ||
| #4057 | Related Posts By PickPlugins | 45 | 4 | 84 | 3k+ | Non-prefixed global variable | ||
| #4058 | ShayanWeb Admin FontChanger | افزونهی تغییر فونت پیشخوان وردپرس شایان وب | 45 | 42 | 8 | 1k+ | Output is not escaped | ||
| #4059 | Simple Login Notification | 45 | 13 | 22 | 2k+ | Request data is not unslashed | ||
| #4060 | Simple Membership MailChimp Integration | 45 | 34 | 27 | 900 | curl curl setopt | ||
| #4061 | Slider Templates | 45 | 10 | 33 | 1k+ | Request data is not unslashed | ||
| #4062 | Specify Missing Image Dimensions | 45 | 21 | 12 | 1k+ | Unsafe printing function | ||
| #4063 | Super Blank | 45 | 131 | 56 | 9k+ | Missing direct file access protection | ||
| #4064 | SyntaxHighlighter Evolved | 45 | 33 | 46 | 20k+ | Not In Footer | ||
| #4065 | TriPay Payment Gateway | 45 | 478 | 44 | 1k+ | Text Domain Mismatch | ||
| #4066 | VietQR | 45 | 32 | 39 | 4k+ | Text Domain Mismatch | ||
| #4067 | Payrexx Payment Gateway for WooCommerce | 45 | 18 | 117 | 2k+ | Non-prefixed class | ||
| #4068 | WP Comment Policy Checkbox | 45 | 31 | 11 | 5k+ | Output is not escaped | ||
| #4069 | WP Revisions Manager | 45 | 47 | 19 | 700 | Non Singular String Literal Domain | ||
| #4070 | wpDataTables integration for Forminator Forms | 45 | 62 | 38 | 1k+ | Text Domain Mismatch | ||
| #4071 | ARI Stream Quiz – WordPress Quizzes Builder | 46 | 21 | 239 | 2k+ | Non-prefixed global variable | ||
| #4072 | Batch Comment Spam Deletion | 46 | 22 | 15 | 1k+ | Nonce verification recommended | ||
| #4073 | Better image sizes | 46 | 45 | 23 | 2k+ | Text Domain Mismatch | ||
| #4074 | Bullhorn Career Portal WordPress Plugin | 46 | 46 | 7 | 1k+ | Output is not escaped | ||
| #4075 | CDEKDelivery | 46 | 75 | 2k+ | Nonce verification recommended | |||
| #4076 | Official CleverReach® Plugin for WooCommerce | 46 | 37 | 98 | 400 | Non-prefixed global variable | ||
| #4077 | DarkMySite – Advanced Dark Mode Plugin for WordPress | 46 | 22 | 100 | 1k+ | Request data is not unslashed | ||
| #4078 | Delete Multiple Themes | 46 | 39 | 5 | 1k+ | Text Domain Mismatch | ||
| #4079 | Display Featured Image for Genesis | 46 | 64 | 59 | 1k+ | Non-prefixed global variable | ||
| #4080 | DX Delete Attached Media | 46 | 32 | 8 | 4k+ | Output is not escaped | ||
| #4081 | Easy Basic Authentication – Add basic auth to site or admin area | 46 | 14 | 28 | 700 | Input is not sanitized | ||
| #4082 | Enhanced AJAX Add to Cart for WooCommerce | 46 | 90 | 78 | 600 | Missing Arg Domain | ||
| #4083 | Export Import Menus | 46 | 23 | 28 | 10k+ | Missing nonce verification | ||
| #4084 | GetAutoSEO AI Tool | 46 | 10 | 262 | 2k+ | Direct Query | ||
| #4085 | Import Social Events | 46 | 26 | 355 | 3k+ | Non-prefixed global variable | ||
| #4086 | Live Copy Paste for Elementor – Cross Domain Copy Paste & Page Duplicator | 46 | 13 | 25 | 7k+ | Request data is not unslashed | ||
| #4087 | Material Design Icons for Page Builders | 46 | 69 | 46 | 20k+ | Missing direct file access protection | ||
| #4088 | N360 | Splash Screen | 46 | 32 | 13 | 500 | Output is not escaped | ||
| #4089 | Podcast Player – Your Podcasting Companion | 46 | 14 | 133 | 10k+ | Non-prefixed global variable | ||
| #4090 | PickPlugins Product Designer for WooCommerce | 46 | 14 | 123 | 500 | Missing nonce verification | ||
| #4091 | Repeater Fields for Gravity Forms | 46 | 134 | 41 | 1k+ | wp function not compatible with requires wp | ||
| #4092 | Simple Sitemap – Create a Responsive HTML Sitemap | 46 | 33 | 48 | 60k+ | Non-prefixed hook name | ||
| #4093 | Link in Bio Creator – Social | 46 | 52 | 36 | 2k+ | Non Singular String Literal Domain | ||
| #4094 | Stars Rating | 46 | 13 | 34 | 1k+ | Missing nonce verification | ||
| #4095 | Updater by BestWebSoft | 46 | 494 | 219 | 2k+ | Text Domain Mismatch | ||
| #4096 | URL Params | 46 | 36 | 17 | 8k+ | Text Domain Mismatch | ||
| #4097 | SX User Name Security | 46 | 42 | 9 | 900 | Output is not escaped | ||
| #4098 | WEN Logo Slider | 46 | 6 | 46 | 1k+ | Non-prefixed global variable | ||
| #4099 | Custom Price Labels for WooCommerce | 46 | 17 | 22 | 1k+ | Output is not escaped | ||
| #4100 | WP Lightbox 2 | 46 | 52 | 18 | 30k+ | Text Domain Mismatch |