WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4301MOBILOOK — Mobile View & Mobile‑Friendly Test5310201k+Missing nonce verification
#4302Multiple external product URLs for WooCommerce532817400Text Domain Mismatch
#4303ONTRApages5316271k+Output is not escaped
#4304Pinterest for WooCommerce534430300k+Exception output is not escaped
#4305Post Type Converter535281k+Nonce verification recommended
#4306Preserved HTML Editor Markup531222600Output is not escaped
#4307Preserved HTML Editor Markup Plus5312223k+Output is not escaped
#4308pretix widget532539400Non-prefixed global variable
#4309Pure Metafields53513010k+Non-prefixed global variable
#4310RDFa Breadcrumb532713600Output is not escaped
#4311Royal WordPress Backup, Restore & Migration Plugin – Backup WordPress Sites Safely53349020k+Database parameter is not escaped
#4312Send Email From Admin532713700Text Domain Mismatch
#4313Shamor535512400wp function not compatible with requires wp
#4314Simple Blog Stats5325764k+Non-prefixed function
#4315Simple Copy Post Button531424400Input is not sanitized
#4316Skroutz Analytics for WooCommerce5357151k+Text Domain Mismatch
#4317Morning for WooCommerce537591k+Non-prefixed global variable
#4318Widget Context53142040k+Non-prefixed hook name
#4319WP User Switch538461k+Input is not sanitized
#4320aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder5483822k+Non-prefixed global variable
#4321Better Admin Bar5427633k+Non-prefixed global variable
#4322Blockskit5433298k+Text Domain Mismatch
#4323Booking Calendar54288850k+Mixed line endings
#4324Boostify Header Footer Builder for Elementor54419557k+Text Domain Mismatch
#4325CSV Importer5424113k+Missing direct file access protection
#4326Custom Category Templates5411113k+Unsafe printing function
#4327Disable Media Sizes5414710k+Output is not escaped
#4328Disqus Comment System54173340k+Non-prefixed hook name
#4329Easy Elementor Addons – Addons Pack for Elementor Page Builder5435681k+Post Not In exclude
#4330Extended User Search In WP-Admin5414171k+SQL query is not prepared
#4331F4 Media Taxonomies547391k+Input is not sanitized
#4332PWA — easy way to Progressive Web App5415442k+Dynamic hook name
#4333Juiz Lang Attribute5426272k+Text Domain Mismatch
#4334Live Summary for Gravity Forms5415271k+Nonce verification recommended
#4335Quick Buy Now Button for WooCommerce541362540k+Text Domain Mismatch
#4336Reorder Terms5417381k+Nonce verification recommended
#4337Resize images before upload541951k+Output is not escaped
#4338REST XML-RPC Data Checker541445900Input is not sanitized
#4339Simple XML Sitemap Generator548283k+Non-prefixed function
#4340SimplyBook.me – Booking and reservations calendar54311330k+Exception output is not escaped
#4341SpeedSize Image & Video AI-Optimizer549817400Text Domain Mismatch
#4342Sp*tify Play Button for WordPress5421153k+Text Domain Mismatch
#4343Sticky Floating Forms Lite542629900Non-prefixed global variable
#4344Post Badges541913400Output is not escaped
#4345WC Duplicate Order541215500Nonce verification recommended
#4346WPC Order Notes for WooCommerce542025900Output is not escaped
#4347WP Call Button – Easy Click to Call Button for WordPress54213840k+Non-prefixed global variable
#4348WP Menu Icons54685220k+Text Domain Mismatch
#4349WP Post Navigation5414231k+Output is not escaped
#4350WP Resized Image Quality54199800Output is not escaped