WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4151Maps Plugin using Google Maps for WordPress – WP Google Map482893810k+wp function not compatible with requires wp
#4152Hotline Phone Ring4816158k+Output is not escaped
#4153JW Player for WordPress48288781k+Text Domain Mismatch
#4154Library Bookshelves481259500Nonce verification recommended
#4155Mailster Live482237600Missing Translators Comment
#4156MWW Disclaimer Buttons482116400Output is not escaped
#4157Raw HTML Snippets4814362k+Input is not sanitized
#4158External Links4842139k+Output is not escaped
#4159Simple Regenerate Slug48186400Unsafe printing function
#4160Easy Updates Manager4813182300k+Non-prefixed global variable
#4161Tako Movable Comments4818391k+Input is not sanitized
#4162Taxonomy Switcher4822362k+Nonce verification recommended
#4163ThemeFarmer Companion4854512k+Missing Version
#4164Trust Payments Gateway for WooCommerce483529400Missing Translators Comment
#4165Virtuaria PagBank / PagSeguro for WooCommerce48121601k+Non-prefixed global variable
#4166Visual Website Optimizer488645k+wp function not compatible with requires wp
#4167Whitelist IP For Limit Login Attempts481812500Output is not escaped
#4168Conditional Display for Mobile – Mobile Detect Plugin4841122k+Input is not sanitized
#4169Flutterwave Payment Gateway for WooCommerce4814222k+Output is not escaped
#4170WP Attachment Export481625600Input is not sanitized
#4171WP Login Form4814207k+Request data is not unslashed
#4172WP Remote Users Sync483551176k+Text Domain Mismatch
#4173WS Action Scheduler Cleaner4813802k+error log error log
#4174Advanced Automatic Updates49262520k+Nonce verification recommended
#4175Batcache491253700Input is not sanitized
#4176SiteEase Bulk Delete Manager495072900Direct Query
#4177Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress494781761k+Text Domain Mismatch
#4178Gallery Carousel Without JetPack4956354k+Text Domain Mismatch
#4179Category Posts in Custom Menu4919182k+Output is not escaped
#4180Successful Redirection for Contact Form49332010k+Text Domain Mismatch
#4181CryptAPI Payment Gateway for WooCommerce4918523400Text Domain Mismatch
#4182Dashboard quick links widget492216700Output is not escaped
#4183Download Media Library4922401k+Text Domain Mismatch
#4184Drag and Drop Multiple File Upload for WooCommerce49114295k+Text Domain Mismatch
#4185GDPR Tools: comment ip removement4918132k+Unsafe printing function
#4186Easy Media Download4920159k+Output is not escaped
#4187Easy Property Listings4960665k+wp function not compatible with requires wp
#4188GamiPress – Multimedia Content491125500Nonce verification recommended
#4189Ecommerce Fabrick4941351k+Nonce verification recommended
#4190Add LinkedIn Insight Tag for LinkedIn Ads49126235k+Non Singular String Literal Domain
#4191Logo Carousel Slider49102146k+Non Singular String Literal Domain
#4192Plugins Last Updated Column492114700Output is not escaped
#4193Post/Page Specific Custom Code4921147k+Output is not escaped
#4194Read Meter – Reading Time & Progress Bar49395010k+Request data is not unslashed
#4195Registered Users Only4914142k+Unsafe printing function
#4196Simple MyISAM to InnoDB4911221k+Output is not escaped
#4197Simple Post Expiration494710400Text Domain Mismatch
#4198Songkick Concerts and Festivals49948500Input is not sanitized
#4199SpinupWP49433830k+Non-prefixed function
#4200Taxonomy Images4938509k+Output is not escaped