WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4251 | Interactive Globes – 3D World Maps | 51 | 24 | 104 | 400 | Non-prefixed global variable | ||
| #4252 | KIA Subtitle | 51 | 21 | 19 | 7k+ | Non-prefixed global variable | ||
| #4253 | Menu Icons by Themeisle – Add Icons to Navigation Menus | 51 | 34 | 22 | 100k+ | Output is not escaped | ||
| #4254 | Mintpay | 51 | 14 | 35 | 600 | Nonce verification recommended | ||
| #4255 | OnSale Page for WooCommerce | 51 | 30 | 44 | 2k+ | Text Domain Mismatch | ||
| #4256 | POLi Payments for WooCommerce | 51 | 62 | 26 | 500 | Text Domain Mismatch | ||
| #4257 | Quotes and Tips by BestWebSoft | 51 | 485 | 190 | 1k+ | Text Domain Mismatch | ||
| #4258 | Security-Protection | 51 | 5 | 32 | 400 | Missing nonce verification | ||
| #4259 | SePay Gateway | 51 | 12 | 39 | 1k+ | Nonce verification recommended | ||
| #4260 | Simple Cookie Notification Bar | 51 | 49 | 6 | 1k+ | Text Domain Mismatch | ||
| #4261 | Redirect | 51 | 26 | 12 | 5k+ | Output is not escaped | ||
| #4262 | StoryChief | 51 | 12 | 55 | 1k+ | Input is not sanitized | ||
| #4263 | The Cache Purger | 51 | 16 | 16 | 1k+ | Non Singular String Literal Text | ||
| #4264 | The Paste | 51 | 19 | 11 | 10k+ | Unsafe printing function | ||
| #4265 | Trustpilot Reviews | 51 | 14 | 52 | 30k+ | Missing nonce verification | ||
| #4266 | Visual Sitemap | 51 | 23 | 6 | 400 | Output is not escaped | ||
| #4267 | VK Filter Search | 51 | 35 | 71 | 6k+ | Nonce verification recommended | ||
| #4268 | Swift SMTP (formerly Welcome Email Editor) | 51 | 12 | 62 | 7k+ | Missing nonce verification | ||
| #4269 | WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System | 51 | 22 | 38 | 5k+ | Output is not escaped | ||
| #4270 | WP Counter Up – Animated Number Counter & Milestone Showcase | 51 | 18 | 239 | 1k+ | Non-prefixed global variable | ||
| #4271 | Check Pincode For WooCommerce | 52 | 55 | 400 | Direct Query | |||
| #4272 | Debug This | 52 | 43 | 32 | 2k+ | Missing Translators Comment | ||
| #4273 | Full Screen Background | 52 | 24 | 26 | 2k+ | Missing direct file access protection | ||
| #4274 | GSheetConnector for Gravity Forms – Send Gravity Forms Entries to Google Sheets in Real-Time | 52 | 26 | 27 | 1k+ | Exception output is not escaped | ||
| #4275 | Metronet Tag Manager | 52 | 17 | 36 | 20k+ | Input is not validated | ||
| #4276 | Post Notification by Email | 52 | 36 | 13 | 2k+ | Output is not escaped | ||
| #4277 | Plugins Load Order | 52 | 32 | 16 | 500 | Non Singular String Literal Domain | ||
| #4278 | Podium | 52 | 21 | 23 | 5k+ | Missing direct file access protection | ||
| #4279 | Product Bundles – Variation Bundles | 52 | 23 | 13 | 600 | Output is not escaped | ||
| #4280 | Product Time Countdown for WooCommerce | 52 | 7 | 36 | 400 | Input is not sanitized | ||
| #4281 | SEOWriting | 52 | 10 | 24 | 30k+ | Output is not escaped | ||
| #4282 | Starbox – the Author Box for Humans | 52 | 144 | 19 | 10k+ | Non Singular String Literal Domain | ||
| #4283 | Stealth Publish | 52 | 7 | 22 | 900 | Missing nonce verification | ||
| #4284 | Custom Post Template By Templatic | 52 | 19 | 14 | 700 | Text Domain Mismatch | ||
| #4285 | TNC Toolbox: Web Performance | 52 | 20 | 25 | 1k+ | Output is not escaped | ||
| #4286 | Travel Map | 52 | 36 | 11 | 1k+ | Output is not escaped | ||
| #4287 | WPVibe – MCP Server for WordPress. Connect Claude, ChatGPT, Gemini & Cursor | 52 | 19 | 58 | 4k+ | Interpolated SQL is not prepared | ||
| #4288 | Notiqoo – Order Notification & Customer Chat for WooCommerce | 52 | 11 | 187 | 1k+ | Non-prefixed global variable | ||
| #4289 | Wenprise Pinyin Slug | 52 | 30 | 34 | 4k+ | Text Domain Mismatch | ||
| #4290 | which template file | 52 | 19 | 12 | 4k+ | Output is not escaped | ||
| #4291 | Thank You Page Customizer for WooCommerce – Increase Your Sales | 52 | 5 | 249 | 4k+ | Non-prefixed global variable | ||
| #4292 | Price Based on Country for WooCommerce | 52 | 43 | 126 | 20k+ | Non-prefixed hook name | ||
| #4293 | Products Per Page for WooCommerce | 52 | 22 | 28 | 10k+ | Output is not escaped | ||
| #4294 | Bg RuTube Embed | 53 | 19 | 21 | 1k+ | Unsafe printing function | ||
| #4295 | Bulk Actions Select All | 53 | 26 | 22 | 800 | Text Domain Mismatch | ||
| #4296 | Download PDF After Submit Form | 53 | 2 | 45 | 500 | Input is not sanitized | ||
| #4297 | Elegant Custom Fonts | 53 | 15 | 17 | 3k+ | Output is not escaped | ||
| #4298 | Export Custom Pages | 53 | 22 | 19 | 700 | Output is not escaped | ||
| #4299 | File Manager | 53 | 41 | 68 | 10k+ | Missing direct file access protection | ||
| #4300 | Focus Videos | 53 | 36 | 9 | 400 | Text Domain Mismatch |