WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4401 | reCAPTCHA for Ninja Forms | 56 | 21 | 9 | 600 | Output is not escaped | ||
| #4402 | Maya Business Plugin | 56 | 9 | 39 | 600 | Input is not validated | ||
| #4403 | Pluginception | 56 | 7 | 29 | 4k+ | Request data is not unslashed | ||
| #4404 | Replace Protected Password | 56 | 6 | 18 | 600 | Input is not sanitized | ||
| #4405 | Seed Social | 56 | 36 | 7 | 6k+ | Output is not escaped | ||
| #4406 | Image Optimization For SEO | 56 | 116 | 69 | 3k+ | Non Singular String Literal Domain | ||
| #4407 | Simple Org Chart | 56 | 15 | 29 | 900 | Missing Version | ||
| #4408 | Subscriptions for WooCommerce with Stripe Recurring Payments | 56 | 10 | 467 | 800 | Non-prefixed global variable | ||
| #4409 | TableKit – WordPress Table Builder for Data Tables, WooCommerce Product Tables & Post Tables | 56 | 80 | 20 | 3k+ | Missing Translators Comment | ||
| #4410 | TextBuilder | 56 | 20 | 34 | 4k+ | Missing Arg Domain | ||
| #4411 | ThemeinWP Import Companion | 56 | 17 | 14 | 4k+ | Unsafe printing function | ||
| #4412 | Export & Import WPBakery Page Builder | 56 | 12 | 20 | 9k+ | Missing nonce verification | ||
| #4413 | WC Moneris Payment Gateway | 56 | 82 | 20 | 900 | Text Domain Mismatch | ||
| #4414 | easy AMP | 56 | 10 | 24 | 600 | Input is not sanitized | ||
| #4415 | WP Clean Admin Menu | 56 | 29 | 11 | 2k+ | Output is not escaped | ||
| #4416 | Pantheon Migrations | 57 | 15 | 26 | 1k+ | Output is not escaped | ||
| #4417 | BestWebSoft’s Pinterest | 57 | 490 | 176 | 500 | Text Domain Mismatch | ||
| #4418 | Cache-Control | 57 | 26 | 4 | 1k+ | Output is not escaped | ||
| #4419 | Cresta Social Share Counter | 57 | 12 | 13 | 2k+ | Output is not escaped | ||
| #4420 | Delete Pending Comments | 57 | 16 | 11 | 10k+ | Unsafe printing function | ||
| #4421 | Disable Cart Fragments by Optimocha | 57 | 8 | 13 | 10k+ | Nonce verification recommended | ||
| #4422 | Live Chat by Formilla – Real-time Chat & Chatbots Plugin | 57 | 22 | 13 | 2k+ | Missing Arg Domain | ||
| #4423 | APG Google Image Sitemap Feed | 57 | 36 | 33 | 900 | Non-prefixed global variable | ||
| #4424 | Gravity PDF | 57 | 116 | 152 | 20k+ | Non-prefixed global variable | ||
| #4425 | Hide Admin Notices | 57 | 9 | 16 | 20k+ | Input is not sanitized | ||
| #4426 | iConvert Promoter | 57 | 98 | 217 | 2k+ | Non-prefixed global variable | ||
| #4427 | iZooto – Web Push Notifications | 57 | 26 | 25 | 1k+ | wp function not compatible with requires wp | ||
| #4428 | Jquery Validation For Contact Form 7 | 57 | 16 | 19 | 9k+ | Missing direct file access protection | ||
| #4429 | JSON API User | 57 | 17 | 34 | 1k+ | Non-prefixed hook name | ||
| #4430 | Logo Manager For Enamad – لوگوی نماد الکترونیکی | 57 | 18 | 14 | 5k+ | Output is not escaped | ||
| #4431 | MC4WP: Mailchimp for WordPress | 57 | 238 | 1m+ | Non-prefixed global variable | |||
| #4432 | Monri Payments | 57 | 141 | 47 | 900 | Text Domain Mismatch | ||
| #4433 | Plethora Plugins Tabs + Accordions | 57 | 44 | 10 | 2k+ | Output is not escaped | ||
| #4434 | Plugin Notes | 57 | 17 | 29 | 400 | Input is not validated | ||
| #4435 | Protected Posts Logout Button | 57 | 10 | 20 | 1k+ | Input is not sanitized | ||
| #4436 | Public Post Preview | 57 | 8 | 11 | 100k+ | Nonce verification recommended | ||
| #4437 | Real-Time Find and Replace | 57 | 23 | 10 | 70k+ | Output is not escaped | ||
| #4438 | Remove admin menus by role | 57 | 5 | 54 | 8k+ | Input is not validated | ||
| #4439 | Replain | 57 | 21 | 9 | 700 | Output is not escaped | ||
| #4440 | Search Exclude | 57 | 73 | 40 | 50k+ | Text Domain Mismatch | ||
| #4441 | Simple CSS | 57 | 22 | 13 | 80k+ | Missing Version | ||
| #4442 | Site Health Tool Manager | 57 | 13 | 5 | 1k+ | Unsafe printing function | ||
| #4443 | Responsive Slideshow – Photo Carousel | 57 | 1 | 74 | 2k+ | Non-prefixed global variable | ||
| #4444 | Timologia for WooCommerce | 57 | 75 | 22 | 3k+ | Text Domain Mismatch | ||
| #4445 | WC Call For Price | 57 | 19 | 55 | 1k+ | Non-prefixed global variable | ||
| #4446 | Filter Orders by Product for WooCommerce | 57 | 9 | 21 | 4k+ | Nonce verification recommended | ||
| #4447 | WP Adsterra Dashboard | 57 | 22 | 21 | 400 | wp function not compatible with requires wp | ||
| #4448 | WP Table Builder – Drag & Drop Table Builder | 57 | 63 | 39 | 50k+ | Not Allowed | ||
| #4449 | WP Wrapper | 57 | 13 | 29 | 600 | Input is not validated | ||
| #4450 | XML Feed for Skroutz & BestPrice for WooCommerce | 57 | 12 | 50 | 600 | Input is not sanitized |