WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4301 | MOBILOOK — Mobile View & Mobile‑Friendly Test | 53 | 10 | 20 | 1k+ | Missing nonce verification | ||
| #4302 | Multiple external product URLs for WooCommerce | 53 | 28 | 17 | 400 | Text Domain Mismatch | ||
| #4303 | ONTRApages | 53 | 16 | 27 | 1k+ | Output is not escaped | ||
| #4304 | Pinterest for WooCommerce | 53 | 44 | 30 | 300k+ | Exception output is not escaped | ||
| #4305 | Post Type Converter | 53 | 5 | 28 | 1k+ | Nonce verification recommended | ||
| #4306 | Preserved HTML Editor Markup | 53 | 12 | 22 | 600 | Output is not escaped | ||
| #4307 | Preserved HTML Editor Markup Plus | 53 | 12 | 22 | 3k+ | Output is not escaped | ||
| #4308 | pretix widget | 53 | 25 | 39 | 400 | Non-prefixed global variable | ||
| #4309 | Pure Metafields | 53 | 5 | 130 | 10k+ | Non-prefixed global variable | ||
| #4310 | RDFa Breadcrumb | 53 | 27 | 13 | 600 | Output is not escaped | ||
| #4311 | Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely | 53 | 34 | 90 | 20k+ | Database parameter is not escaped | ||
| #4312 | Send Email From Admin | 53 | 27 | 13 | 700 | Text Domain Mismatch | ||
| #4313 | Shamor | 53 | 55 | 12 | 400 | wp function not compatible with requires wp | ||
| #4314 | Simple Blog Stats | 53 | 25 | 76 | 4k+ | Non-prefixed function | ||
| #4315 | Simple Copy Post Button | 53 | 14 | 24 | 400 | Input is not sanitized | ||
| #4316 | Skroutz Analytics for WooCommerce | 53 | 57 | 15 | 1k+ | Text Domain Mismatch | ||
| #4317 | Morning for WooCommerce | 53 | 7 | 59 | 1k+ | Non-prefixed global variable | ||
| #4318 | Widget Context | 53 | 14 | 20 | 40k+ | Non-prefixed hook name | ||
| #4319 | WP User Switch | 53 | 8 | 46 | 1k+ | Input is not sanitized | ||
| #4320 | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | 54 | 8 | 382 | 2k+ | Non-prefixed global variable | ||
| #4321 | Better Admin Bar | 54 | 27 | 63 | 3k+ | Non-prefixed global variable | ||
| #4322 | Blockskit | 54 | 33 | 29 | 8k+ | Text Domain Mismatch | ||
| #4323 | Booking Calendar | 54 | 28 | 88 | 50k+ | Mixed line endings | ||
| #4324 | Boostify Header Footer Builder for Elementor | 54 | 419 | 55 | 7k+ | Text Domain Mismatch | ||
| #4325 | CSV Importer | 54 | 24 | 11 | 3k+ | Missing direct file access protection | ||
| #4326 | Custom Category Templates | 54 | 11 | 11 | 3k+ | Unsafe printing function | ||
| #4327 | Disable Media Sizes | 54 | 14 | 7 | 10k+ | Output is not escaped | ||
| #4328 | Disqus Comment System | 54 | 17 | 33 | 40k+ | Non-prefixed hook name | ||
| #4329 | Easy Elementor Addons – Addons Pack for Elementor Page Builder | 54 | 35 | 68 | 1k+ | Post Not In exclude | ||
| #4330 | Extended User Search In WP-Admin | 54 | 14 | 17 | 1k+ | SQL query is not prepared | ||
| #4331 | F4 Media Taxonomies | 54 | 7 | 39 | 1k+ | Input is not sanitized | ||
| #4332 | PWA — easy way to Progressive Web App | 54 | 15 | 44 | 2k+ | Dynamic hook name | ||
| #4333 | Juiz Lang Attribute | 54 | 26 | 27 | 2k+ | Text Domain Mismatch | ||
| #4334 | Live Summary for Gravity Forms | 54 | 15 | 27 | 1k+ | Nonce verification recommended | ||
| #4335 | Quick Buy Now Button for WooCommerce | 54 | 136 | 25 | 40k+ | Text Domain Mismatch | ||
| #4336 | Reorder Terms | 54 | 17 | 38 | 1k+ | Nonce verification recommended | ||
| #4337 | Resize images before upload | 54 | 19 | 5 | 1k+ | Output is not escaped | ||
| #4338 | REST XML-RPC Data Checker | 54 | 14 | 45 | 900 | Input is not sanitized | ||
| #4339 | Simple XML Sitemap Generator | 54 | 8 | 28 | 3k+ | Non-prefixed function | ||
| #4340 | SimplyBook.me – Booking and reservations calendar | 54 | 31 | 13 | 30k+ | Exception output is not escaped | ||
| #4341 | SpeedSize Image & Video AI-Optimizer | 54 | 98 | 17 | 400 | Text Domain Mismatch | ||
| #4342 | Sp*tify Play Button for WordPress | 54 | 21 | 15 | 3k+ | Text Domain Mismatch | ||
| #4343 | Sticky Floating Forms Lite | 54 | 26 | 29 | 900 | Non-prefixed global variable | ||
| #4344 | Post Badges | 54 | 19 | 13 | 400 | Output is not escaped | ||
| #4345 | WC Duplicate Order | 54 | 12 | 15 | 500 | Nonce verification recommended | ||
| #4346 | WPC Order Notes for WooCommerce | 54 | 20 | 25 | 900 | Output is not escaped | ||
| #4347 | WP Call Button – Easy Click to Call Button for WordPress | 54 | 21 | 38 | 40k+ | Non-prefixed global variable | ||
| #4348 | WP Menu Icons | 54 | 68 | 52 | 20k+ | Text Domain Mismatch | ||
| #4349 | WP Post Navigation | 54 | 14 | 23 | 1k+ | Output is not escaped | ||
| #4350 | WP Resized Image Quality | 54 | 19 | 9 | 800 | Output is not escaped |