WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4201Users by Date Registered4913201k+Nonce verification recommended
#4202Was This Helpful?4919281k+Output is not escaped
#4203Gateway for Wise on WooCommerce4928301k+Output is not escaped
#4204PDF Invoices & Packing Slips for WooCommerce – Challan49561514k+Non-prefixed global variable
#4205WooBuilder492017700Output is not escaped
#4206Product Slider, Product Grid, Product Masonry495514410k+wp function not compatible with requires wp
#4207WP Post Disclaimer493427800Output is not escaped
#4208WP Sitemap Page494314200k+Missing Translators Comment
#4209WP Smart Import : Import any XML File to WordPress49283021k+Non-prefixed global variable
#4210WP User Groups494432600Missing Translators Comment
#4211Aspexi Social Media Sidebox5017512700Text Domain Mismatch
#4212Auto Ping Booster Free501821900Setting is missing a sanitization callback
#4213Booster for WPForms507945700Text Domain Mismatch
#4214BuddyPress Groups Extras503051400Missing direct file access protection
#4215Category AJAX Filter — Advanced Filter for Posts & Custom Post Types5024356k+Non-prefixed global variable
#4216Customize Tawk.to Widget502128500Request data is not unslashed
#4217Dashboard To-Do List502181k+Unsafe printing function
#4218Event Organiser CSV502827600Output is not escaped
#4219Block IPs for Gravity Forms508361k+Request data is not unslashed
#4220Headline Analyzer5013311k+Nonce verification recommended
#4221HT Slider For Elementor508844020k+Text Domain Mismatch
#4222IMGspider – 图片采集抓取插件5012492k+Missing nonce verification
#4223Custom Block Builder – Lazy Blocks50235120k+Non-prefixed hook name
#4224Mailster Gravity Forms504632800Text Domain Mismatch
#4225MB Custom Post Types & Custom Taxonomies50615510k+Missing Translators Comment
#4226Pago por Redsys504459700Text Domain Mismatch
#4227Product Open Pricing (Name Your Price) for WooCommerce50105376k+Text Domain Mismatch
#4228📷 Simple QR Code Generator Widget502114400Output is not escaped
#4229Section Widget502435500Nonce verification recommended
#4230Server Info – System Health & Diagnostics Suite5015463k+Input is not sanitized
#4231Sözleşmeler506361k+Input is not sanitized
#4232BestWebSoft's Twitter50477174900Text Domain Mismatch
#4233Veeqo for WooCommerce503017700Missing direct file access protection
#4234WRC Pricing Tables – Responsive CSS3 Pricing Tables505962k+Missing nonce verification
#4235Cart Popup for WooCommerce5191159k+Non-prefixed global variable
#4236Address Geocoder511218500Output is not escaped
#4237Adjust Admin Categories51301210k+Output is not escaped
#4238Aspexi Social Media Slider51177152k+Text Domain Mismatch
#4239AVIF Uploader5149444k+Missing Arg Domain
#4240Booqable Rental Plugin5181181k+wp function not compatible with requires wp
#4241Bootstrap Modals514381k+Output is not escaped
#4242WPML Multilingual for BuddyPress and BuddyBoss5118216k+SQL query is not prepared
#4243CloudFilt Bot & Spam Protection511122600Output is not escaped
#4244Custom Post Type UI5116401m+Non-prefixed hook name
#4245Dynamic Pricing and Discount Rules5124651k+Non Singular String Literal Text
#4246Dolyame Payment gateway5112210700Text Domain Mismatch
#4247Easy Search Replace – Find & Replace Text/HTML/URLs, Remove Footer Credit51661500Input is not sanitized
#4248Gravatar Enhanced – Avatars, Profiles, and Privacy513848100k+Dynamic hook name
#4249Gravity Forms No CAPTCHA reCAPTCHA51301710k+Text Domain Mismatch
#4250Gutenverse – WordPress Blocks, Page Builder & Site Editor51174720k+Non-prefixed hook name