WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4101 | WPB Category Slider for WooCommerce – Responsive Product Category Carousel & Enhanced UX | 46 | 101 | 16 | 700 | Non Singular String Literal Domain | ||
| #4102 | WP All Import – Import SEO Settings for Yoast SEO | 46 | 19 | 26 | 20k+ | Nonce verification recommended | ||
| #4103 | Zoho Mail for WordPress | 46 | 29 | 48 | 20k+ | Request data is not unslashed | ||
| #4104 | AffiliateWP Checkout Referrals | 47 | 48 | 26 | 600 | Output is not escaped | ||
| #4105 | Avacy CMP | 47 | 5 | 90 | 500 | Non-prefixed global variable | ||
| #4106 | Verified Member for BuddyPress | 47 | 20 | 38 | 3k+ | Nonce verification recommended | ||
| #4107 | 404 Image Redirection (Replace Broken Images) | 47 | 118 | 85 | 600 | Text Domain Mismatch | ||
| #4108 | Cashfree for WooCommerce | 47 | 21 | 21 | 8k+ | Nonce verification recommended | ||
| #4109 | Better Badge – Custom Product Badges for WooCommerce | 47 | 22 | 47 | 500 | Non Singular String Literal Domain | ||
| #4110 | Customizer Export/Import | 47 | 14 | 15 | 100k+ | Unsafe printing function | ||
| #4111 | Delete Duplicate Posts | 47 | 9 | 50 | 10k+ | Direct Query | ||
| #4112 | DPO Pay for WooCommerce | 47 | 28 | 41 | 1k+ | Non Singular String Literal Text | ||
| #4113 | EasyFonts – Host Google Fonts Locally, Fast & Auto-Optimize, GDPR Compliant | 47 | 5 | 58 | 1k+ | Interpolated SQL is not prepared | ||
| #4114 | Show IDs by Echo | 47 | 21 | 13 | 2k+ | Output is not escaped | ||
| #4115 | Extended CRM for Users Insights | 47 | 11 | 23 | 400 | Missing nonce verification | ||
| #4116 | Flying Pages: Preload Pages for Faster Navigation & Improved User Experience | 47 | 21 | 21 | 20k+ | Missing direct file access protection | ||
| #4117 | FSM Custom Featured Image Caption | 47 | 26 | 27 | 5k+ | Output is not escaped | ||
| #4118 | Groups 404 Redirect | 47 | 35 | 33 | 1k+ | Non Singular String Literal Domain | ||
| #4119 | KCSG Kartra Pages | 47 | 30 | 16 | 500 | Heredoc Output Not Escaped | ||
| #4120 | Product Categories/Tags Bottom Description for WooCommerce | 47 | 60 | 23 | 3k+ | Text Domain Mismatch | ||
| #4121 | Restore PayPal Standard for WooCommerce | 47 | 19 | 53 | 3k+ | Nonce verification recommended | ||
| #4122 | Simple Custom Post Order | 47 | 9 | 76 | 300k+ | Direct Query | ||
| #4123 | SportsPress for Baseball | 47 | 113 | 34 | 900 | Text Domain Mismatch | ||
| #4124 | Tabby Checkout | 47 | 33 | 46 | 4k+ | Non-prefixed class | ||
| #4125 | The Tribal Plugin | 47 | 43 | 62 | 700 | Non-prefixed function | ||
| #4126 | Userback | 47 | 13 | 20 | 2k+ | Output is not escaped | ||
| #4127 | Simple Client Dashboard | 47 | 38 | 36 | 2k+ | Missing direct file access protection | ||
| #4128 | Website Article Monetization By MageNet | 47 | 17 | 24 | 10k+ | Output is not escaped | ||
| #4129 | Better Usability for WooCommerce | 47 | 30 | 93 | 800 | Non-prefixed hook name | ||
| #4130 | WP Custom Author URL | 47 | 16 | 38 | 5k+ | Non-prefixed global variable | ||
| #4131 | 3CX Free Live Chat, Calls & Messaging | 47 | 24 | 16 | 100k+ | Output is not escaped | ||
| #4132 | WP PHP Console | 47 | 18 | 24 | 500 | Output is not escaped | ||
| #4133 | WP Prefix Changer | 47 | 27 | 16 | 900 | Missing Arg Domain | ||
| #4134 | QuadLayers TikTok Feed | 47 | 78 | 52 | 7k+ | Text Domain Mismatch | ||
| #4135 | Post Status Notifications | 47 | 98 | 41 | 1k+ | Text Domain Mismatch | ||
| #4136 | Compress, Resize & Lazy Load Images – WPvivid Image Optimization | 47 | 107 | 58 | 10k+ | Missing direct file access protection | ||
| #4137 | Add-on WooCommerce – MailPoet 3 | 48 | 30 | 21 | 600 | Output is not escaped | ||
| #4138 | Add Polylang support for Customizer | 48 | 18 | 20 | 2k+ | Nonce verification recommended | ||
| #4139 | Ansar Import – One Click Starter Sites – for Elementor & Themes | 48 | 27 | 116 | 10k+ | Non-prefixed global variable | ||
| #4140 | AnWP Post Grid and Post Carousel Slider for Elementor | 48 | 758 | 171 | 20k+ | Text Domain Mismatch | ||
| #4141 | BP Simple Private | 48 | 19 | 12 | 500 | Output is not escaped | ||
| #4142 | Comment Notifier | 48 | 10 | 55 | 400 | Non-prefixed global variable | ||
| #4143 | Convertful – Your Ultimate On-Site Conversion Tool | 48 | 15 | 34 | 3k+ | wp function not compatible with requires wp | ||
| #4144 | CookieFox – Cookie Notice | 48 | 14 | 19 | 400 | Output is not escaped | ||
| #4145 | Current Menu Item for Custom Post Types | 48 | 18 | 30 | 2k+ | Non-prefixed global variable | ||
| #4146 | Custom Background Extended | 48 | 13 | 23 | 800 | Input is not validated | ||
| #4147 | Custom Header Extended | 48 | 19 | 11 | 1k+ | Unsafe printing function | ||
| #4148 | Custom Related Products for WooCommerce | 48 | 25 | 10 | 5k+ | Text Domain Mismatch | ||
| #4149 | Easy Share Solution For WordPress | 48 | 15 | 33 | 900 | Output is not escaped | ||
| #4150 | Filter Page by Template | 48 | 17 | 20 | 2k+ | Nonce verification recommended |