WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4201 | Users by Date Registered | 49 | 13 | 20 | 1k+ | Nonce verification recommended | ||
| #4202 | Was This Helpful? | 49 | 19 | 28 | 1k+ | Output is not escaped | ||
| #4203 | Gateway for Wise on WooCommerce | 49 | 28 | 30 | 1k+ | Output is not escaped | ||
| #4204 | PDF Invoices & Packing Slips for WooCommerce – Challan | 49 | 56 | 151 | 4k+ | Non-prefixed global variable | ||
| #4205 | WooBuilder | 49 | 20 | 17 | 700 | Output is not escaped | ||
| #4206 | Product Slider, Product Grid, Product Masonry | 49 | 55 | 144 | 10k+ | wp function not compatible with requires wp | ||
| #4207 | WP Post Disclaimer | 49 | 34 | 27 | 800 | Output is not escaped | ||
| #4208 | WP Sitemap Page | 49 | 43 | 14 | 200k+ | Missing Translators Comment | ||
| #4209 | WP Smart Import : Import any XML File to WordPress | 49 | 28 | 302 | 1k+ | Non-prefixed global variable | ||
| #4210 | WP User Groups | 49 | 44 | 32 | 600 | Missing Translators Comment | ||
| #4211 | Aspexi Social Media Sidebox | 50 | 175 | 12 | 700 | Text Domain Mismatch | ||
| #4212 | Auto Ping Booster Free | 50 | 18 | 21 | 900 | Setting is missing a sanitization callback | ||
| #4213 | Booster for WPForms | 50 | 79 | 45 | 700 | Text Domain Mismatch | ||
| #4214 | BuddyPress Groups Extras | 50 | 30 | 51 | 400 | Missing direct file access protection | ||
| #4215 | Category AJAX Filter — Advanced Filter for Posts & Custom Post Types | 50 | 2 | 435 | 6k+ | Non-prefixed global variable | ||
| #4216 | Customize Tawk.to Widget | 50 | 21 | 28 | 500 | Request data is not unslashed | ||
| #4217 | Dashboard To-Do List | 50 | 21 | 8 | 1k+ | Unsafe printing function | ||
| #4218 | Event Organiser CSV | 50 | 28 | 27 | 600 | Output is not escaped | ||
| #4219 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #4220 | Headline Analyzer | 50 | 13 | 31 | 1k+ | Nonce verification recommended | ||
| #4221 | HT Slider For Elementor | 50 | 884 | 40 | 20k+ | Text Domain Mismatch | ||
| #4222 | IMGspider – 图片采集抓取插件 | 50 | 12 | 49 | 2k+ | Missing nonce verification | ||
| #4223 | Custom Block Builder – Lazy Blocks | 50 | 23 | 51 | 20k+ | Non-prefixed hook name | ||
| #4224 | Mailster Gravity Forms | 50 | 46 | 32 | 800 | Text Domain Mismatch | ||
| #4225 | MB Custom Post Types & Custom Taxonomies | 50 | 61 | 55 | 10k+ | Missing Translators Comment | ||
| #4226 | Pago por Redsys | 50 | 44 | 59 | 700 | Text Domain Mismatch | ||
| #4227 | Product Open Pricing (Name Your Price) for WooCommerce | 50 | 105 | 37 | 6k+ | Text Domain Mismatch | ||
| #4228 | 📷 Simple QR Code Generator Widget | 50 | 21 | 14 | 400 | Output is not escaped | ||
| #4229 | Section Widget | 50 | 24 | 35 | 500 | Nonce verification recommended | ||
| #4230 | Server Info – System Health & Diagnostics Suite | 50 | 15 | 46 | 3k+ | Input is not sanitized | ||
| #4231 | Sözleşmeler | 50 | 6 | 36 | 1k+ | Input is not sanitized | ||
| #4232 | BestWebSoft's Twitter | 50 | 477 | 174 | 900 | Text Domain Mismatch | ||
| #4233 | Veeqo for WooCommerce | 50 | 30 | 17 | 700 | Missing direct file access protection | ||
| #4234 | WRC Pricing Tables – Responsive CSS3 Pricing Tables | 50 | 5 | 96 | 2k+ | Missing nonce verification | ||
| #4235 | Cart Popup for WooCommerce | 51 | 9 | 115 | 9k+ | Non-prefixed global variable | ||
| #4236 | Address Geocoder | 51 | 12 | 18 | 500 | Output is not escaped | ||
| #4237 | Adjust Admin Categories | 51 | 30 | 12 | 10k+ | Output is not escaped | ||
| #4238 | Aspexi Social Media Slider | 51 | 177 | 15 | 2k+ | Text Domain Mismatch | ||
| #4239 | AVIF Uploader | 51 | 49 | 44 | 4k+ | Missing Arg Domain | ||
| #4240 | Booqable Rental Plugin | 51 | 81 | 18 | 1k+ | wp function not compatible with requires wp | ||
| #4241 | Bootstrap Modals | 51 | 43 | 8 | 1k+ | Output is not escaped | ||
| #4242 | WPML Multilingual for BuddyPress and BuddyBoss | 51 | 18 | 21 | 6k+ | SQL query is not prepared | ||
| #4243 | CloudFilt Bot & Spam Protection | 51 | 11 | 22 | 600 | Output is not escaped | ||
| #4244 | Custom Post Type UI | 51 | 16 | 40 | 1m+ | Non-prefixed hook name | ||
| #4245 | Dynamic Pricing and Discount Rules | 51 | 24 | 65 | 1k+ | Non Singular String Literal Text | ||
| #4246 | Dolyame Payment gateway | 51 | 122 | 10 | 700 | Text Domain Mismatch | ||
| #4247 | Easy Search Replace – Find & Replace Text/HTML/URLs, Remove Footer Credit | 51 | 6 | 61 | 500 | Input is not sanitized | ||
| #4248 | Gravatar Enhanced – Avatars, Profiles, and Privacy | 51 | 38 | 48 | 100k+ | Dynamic hook name | ||
| #4249 | Gravity Forms No CAPTCHA reCAPTCHA | 51 | 30 | 17 | 10k+ | Text Domain Mismatch | ||
| #4250 | Gutenverse – WordPress Blocks, Page Builder & Site Editor | 51 | 17 | 47 | 20k+ | Non-prefixed hook name |