WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4351 | YITH Proteo Toolkit | 54 | 130 | 64 | 1k+ | Text Domain Mismatch | ||
| #4352 | Accordions | 55 | 1 | 101 | 20k+ | slow db query meta query | ||
| #4353 | Admin Bar User Switching | 55 | 16 | 31 | 2k+ | Input is not validated | ||
| #4354 | Advanced Custom Order Status for WooCommerce | 55 | 44 | 33 | 500 | Text Domain Mismatch | ||
| #4355 | AI Assistant for Elementor – Auto Content Writer, OpenAI, ChatGPT | 55 | 151 | 24 | 400 | Text Domain Mismatch | ||
| #4356 | Ascending Posts by Fly Plugins | 55 | 23 | 13 | 500 | Text Domain Mismatch | ||
| #4357 | Auto Image Alt Attribute | 55 | 26 | 7 | 6k+ | Unsafe printing function | ||
| #4358 | Chabok | چابک | 55 | 16 | 31 | 400 | Nonce verification recommended | ||
| #4359 | Custom Upload Dir | 55 | 63 | 7 | 5k+ | Missing Arg Domain | ||
| #4360 | Disable Feeds | 55 | 9 | 9 | 20k+ | Output is not escaped | ||
| #4361 | Email Template Customizer for WooCommerce | 55 | 552 | 248 | 20k+ | Text Domain Mismatch | ||
| #4362 | Feedbucket – Website Feedback Tool | 55 | 10 | 25 | 1k+ | Input is not validated | ||
| #4363 | Go Live Update Urls | 55 | 11 | 49 | 80k+ | Non-prefixed hook name | ||
| #4364 | Head Meta Data | 55 | 19 | 42 | 10k+ | Non-prefixed function | ||
| #4365 | Head, Footer and Post Injections | 55 | 9 | 52 | 200k+ | Non-prefixed global variable | ||
| #4366 | Hide Admin Menu | 55 | 18 | 27 | 20k+ | Non-prefixed function | ||
| #4367 | JetWidgets For Elementor | 55 | 99 | 279 | 10k+ | Non-prefixed global variable | ||
| #4368 | Landingi Landing Pages | 55 | 18 | 23 | 2k+ | Input is not sanitized | ||
| #4369 | Login or Logout Menu Item | 55 | 13 | 7 | 20k+ | Unsafe printing function | ||
| #4370 | Mailster for WooCommerce | 55 | 23 | 32 | 1k+ | Non-prefixed global variable | ||
| #4371 | LexonRank: AI Link Building, Free Backlinks & SEO Automation | 55 | 15 | 20 | 1k+ | Nonce verification recommended | ||
| #4372 | Marvy – Background Animations for Elementor | 55 | 63 | 34 | 4k+ | Text Domain Mismatch | ||
| #4373 | Mortgage Calculator | 55 | 98 | 16 | 4k+ | Text Domain Mismatch | ||
| #4374 | Page Animations And Transitions | 55 | 89 | 67 | 1k+ | Non Singular String Literal Domain | ||
| #4375 | Fast Page & Post Duplicator | 55 | 12 | 25 | 60k+ | Direct Query | ||
| #4376 | Virtual Robots.txt | 55 | 10 | 21 | 40k+ | Input is not validated | ||
| #4377 | Popup Maker – Responsive popup, Exit Intent Pop up, Email Optins, Autoresponder & More | 55 | 44 | 64 | 7k+ | Text Domain Mismatch | ||
| #4378 | Quick and Easy Testimonials | 55 | 62 | 32 | 3k+ | Non Singular String Literal Domain | ||
| #4379 | Semrush Content Toolkit | 55 | 22 | 24 | 2k+ | Non-prefixed global variable | ||
| #4380 | Slider Block by Sliderberg – WordPress Slider & Carousel Plugin for Gutenberg | 55 | 23 | 19 | 1k+ | Output is not escaped | ||
| #4381 | Free customer chat solution | 55 | 18 | 10 | 500 | Output is not escaped | ||
| #4382 | Text Changer for Welcart | 55 | 477 | 43 | 500 | Text Domain Mismatch | ||
| #4383 | Trusona for WordPress | 55 | 8 | 34 | 500 | Non-prefixed function | ||
| #4384 | VS Contact Form | 55 | 3 | 318 | 7k+ | Non-prefixed global variable | ||
| #4385 | VK Block Patterns | 55 | 8 | 61 | 100k+ | Non-prefixed function | ||
| #4386 | WP Ultimate Review | 55 | 23 | 381 | 70k+ | Non-prefixed global variable | ||
| #4387 | Yext Plugin | 55 | 16 | 23 | 800 | Non-prefixed function | ||
| #4388 | Admin Bar Fix | 56 | 40 | 18 | 400 | Text Domain Mismatch | ||
| #4389 | All in One SEO Pack Importer | 56 | 17 | 25 | 500 | Direct Query | ||
| #4390 | Anti-Captcha (anti-spam botblocker) | 56 | 23 | 26 | 1k+ | rand mt rand | ||
| #4391 | BuddyCommerce: WooCommerce and BuddyPress Integration | 56 | 29 | 19 | 800 | Output is not escaped | ||
| #4392 | SMTP by BestWebSoft | 56 | 486 | 175 | 1k+ | Text Domain Mismatch | ||
| #4393 | Contextual Adminbar Color | 56 | 18 | 16 | 500 | Output is not escaped | ||
| #4394 | FluentSnippets – High-Performance Code Snippets, Header & Footer Code, Custom CSS & PHP Code Manager | 56 | 31 | 27 | 50k+ | Nonce verification recommended | ||
| #4395 | Easy Digital Downloads Featured Downloads | 56 | 15 | 15 | 1k+ | Output is not escaped | ||
| #4396 | FV Top Level Categories | 56 | 24 | 16 | 20k+ | Text Domain Mismatch | ||
| #4397 | Grids: Layout builder for WordPress | 56 | 24 | 27 | 2k+ | Missing direct file access protection | ||
| #4398 | Form data to kintone | 56 | 25 | 22 | 1k+ | Output is not escaped | ||
| #4399 | LearnPress – Course Wishlist | 56 | 35 | 22 | 20k+ | Output is not escaped | ||
| #4400 | Free Live Chat Support | 56 | 9 | 20 | 600 | Output is not escaped |