WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4151 | Maps Plugin using Google Maps for WordPress – WP Google Map | 48 | 289 | 38 | 10k+ | wp function not compatible with requires wp | ||
| #4152 | Hotline Phone Ring | 48 | 16 | 15 | 8k+ | Output is not escaped | ||
| #4153 | JW Player for WordPress | 48 | 288 | 78 | 1k+ | Text Domain Mismatch | ||
| #4154 | Library Bookshelves | 48 | 12 | 59 | 500 | Nonce verification recommended | ||
| #4155 | Mailster Live | 48 | 22 | 37 | 600 | Missing Translators Comment | ||
| #4156 | MWW Disclaimer Buttons | 48 | 21 | 16 | 400 | Output is not escaped | ||
| #4157 | Raw HTML Snippets | 48 | 14 | 36 | 2k+ | Input is not sanitized | ||
| #4158 | External Links | 48 | 42 | 13 | 9k+ | Output is not escaped | ||
| #4159 | Simple Regenerate Slug | 48 | 18 | 6 | 400 | Unsafe printing function | ||
| #4160 | Easy Updates Manager | 48 | 13 | 182 | 300k+ | Non-prefixed global variable | ||
| #4161 | Tako Movable Comments | 48 | 18 | 39 | 1k+ | Input is not sanitized | ||
| #4162 | Taxonomy Switcher | 48 | 22 | 36 | 2k+ | Nonce verification recommended | ||
| #4163 | ThemeFarmer Companion | 48 | 54 | 51 | 2k+ | Missing Version | ||
| #4164 | Trust Payments Gateway for WooCommerce | 48 | 35 | 29 | 400 | Missing Translators Comment | ||
| #4165 | Virtuaria PagBank / PagSeguro for WooCommerce | 48 | 12 | 160 | 1k+ | Non-prefixed global variable | ||
| #4166 | Visual Website Optimizer | 48 | 86 | 4 | 5k+ | wp function not compatible with requires wp | ||
| #4167 | Whitelist IP For Limit Login Attempts | 48 | 18 | 12 | 500 | Output is not escaped | ||
| #4168 | Conditional Display for Mobile – Mobile Detect Plugin | 48 | 4 | 112 | 2k+ | Input is not sanitized | ||
| #4169 | Flutterwave Payment Gateway for WooCommerce | 48 | 14 | 22 | 2k+ | Output is not escaped | ||
| #4170 | WP Attachment Export | 48 | 16 | 25 | 600 | Input is not sanitized | ||
| #4171 | WP Login Form | 48 | 14 | 20 | 7k+ | Request data is not unslashed | ||
| #4172 | WP Remote Users Sync | 48 | 355 | 117 | 6k+ | Text Domain Mismatch | ||
| #4173 | WS Action Scheduler Cleaner | 48 | 13 | 80 | 2k+ | error log error log | ||
| #4174 | Advanced Automatic Updates | 49 | 26 | 25 | 20k+ | Nonce verification recommended | ||
| #4175 | Batcache | 49 | 12 | 53 | 700 | Input is not sanitized | ||
| #4176 | SiteEase Bulk Delete Manager | 49 | 50 | 72 | 900 | Direct Query | ||
| #4177 | Analytics by BestWebSoft – Google Analytics Dashboard and Statistic Plugin for WordPress | 49 | 478 | 176 | 1k+ | Text Domain Mismatch | ||
| #4178 | Gallery Carousel Without JetPack | 49 | 56 | 35 | 4k+ | Text Domain Mismatch | ||
| #4179 | Category Posts in Custom Menu | 49 | 19 | 18 | 2k+ | Output is not escaped | ||
| #4180 | Successful Redirection for Contact Form | 49 | 33 | 20 | 10k+ | Text Domain Mismatch | ||
| #4181 | CryptAPI Payment Gateway for WooCommerce | 49 | 185 | 23 | 400 | Text Domain Mismatch | ||
| #4182 | Dashboard quick links widget | 49 | 22 | 16 | 700 | Output is not escaped | ||
| #4183 | Download Media Library | 49 | 22 | 40 | 1k+ | Text Domain Mismatch | ||
| #4184 | Drag and Drop Multiple File Upload for WooCommerce | 49 | 114 | 29 | 5k+ | Text Domain Mismatch | ||
| #4185 | GDPR Tools: comment ip removement | 49 | 18 | 13 | 2k+ | Unsafe printing function | ||
| #4186 | Easy Media Download | 49 | 20 | 15 | 9k+ | Output is not escaped | ||
| #4187 | Easy Property Listings | 49 | 60 | 66 | 5k+ | wp function not compatible with requires wp | ||
| #4188 | GamiPress – Multimedia Content | 49 | 11 | 25 | 500 | Nonce verification recommended | ||
| #4189 | Ecommerce Fabrick | 49 | 4 | 135 | 1k+ | Nonce verification recommended | ||
| #4190 | Add LinkedIn Insight Tag for LinkedIn Ads | 49 | 126 | 23 | 5k+ | Non Singular String Literal Domain | ||
| #4191 | Logo Carousel Slider | 49 | 102 | 14 | 6k+ | Non Singular String Literal Domain | ||
| #4192 | Plugins Last Updated Column | 49 | 21 | 14 | 700 | Output is not escaped | ||
| #4193 | Post/Page Specific Custom Code | 49 | 21 | 14 | 7k+ | Output is not escaped | ||
| #4194 | Read Meter – Reading Time & Progress Bar | 49 | 39 | 50 | 10k+ | Request data is not unslashed | ||
| #4195 | Registered Users Only | 49 | 14 | 14 | 2k+ | Unsafe printing function | ||
| #4196 | Simple MyISAM to InnoDB | 49 | 11 | 22 | 1k+ | Output is not escaped | ||
| #4197 | Simple Post Expiration | 49 | 47 | 10 | 400 | Text Domain Mismatch | ||
| #4198 | Songkick Concerts and Festivals | 49 | 9 | 48 | 500 | Input is not sanitized | ||
| #4199 | SpinupWP | 49 | 43 | 38 | 30k+ | Non-prefixed function | ||
| #4200 | Taxonomy Images | 49 | 38 | 50 | 9k+ | Output is not escaped |