WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4451Zoho Billing – Embed Payment Form572210400Output is not escaped
#4452Admin Page Notes581715700Text Domain Mismatch
#4453Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance58920500Output is not escaped
#4454Basic User Avatars5817720k+Output is not escaped
#4455BCM Duplicate Menu588114k+Nonce verification recommended
#4456Debloat – Remove Unused CSS, Optimize JS58242030k+Nonce verification recommended
#4457Departamentos y Ciudades de Colombia para Woocommerce5849426k+Text Domain Mismatch
#4458Error Log Viewer by BestWebSoft584331726k+Text Domain Mismatch
#4459Flexible FAQ5827261k+Text Domain Mismatch
#4460Go Redirects URL Forwarder5817141k+Output is not escaped
#4461Gutenverse Form – Contact Form Builder, Block Form & Booking Form58174810k+Nonce verification recommended
#4462HAL5810624500Text Domain Mismatch
#4463Menu Swapper5820143k+Output is not escaped
#4464Nginx Cache5812810k+Unsafe printing function
#4465WP Online Active Users5826452k+Non-prefixed global variable
#4466PageLoader Lite – Loading Screen582917700Output is not escaped
#4467Quickcreator – AI Blog Writer581418500Exception output is not escaped
#4468Remove CPT base58151610k+Input is not sanitized
#4469Responsive Select Menu5829273k+Output is not escaped
#4470REVIEWS.io for WooCommerce58711611k+Non-prefixed global variable
#4471Safety Exit5852261k+Text Domain Mismatch
#4472Simple Back To Top5815433k+Non-prefixed global variable
#4473Simple CSS for widgets5811151k+Missing nonce verification
#4474SportsPress for Basketball58104341k+Text Domain Mismatch
#4475SportsPress for Football (Soccer)58107346k+Text Domain Mismatch
#4476SportsPress for Volleyball5810734500Text Domain Mismatch
#4477Super Simple Event Calendar58824600Request data is not unslashed
#4478UiCore Elements – Free widgets and templates for Elementor58293040k+Output is not escaped
#4479Videopack582810810k+Input is not sanitized
#4480View Admin As583071359k+Non Singular String Literal Domain
#4481Cloak Affiliate Links for WooCommerce582862k+Non Singular String Literal Domain
#4482Age Gator59915400Direct Query
#4483AudioIgniter Music Player595310k+Input is not validated
#4484Posts Order5959201k+Text Domain Mismatch
#4485Co-Authors Plus5927620k+Input is not sanitized
#4486Cresta Posts Box5910131k+Output is not escaped
#4487Disabled Source, Disabled Right Click and Content Protection5963310k+Nonce verification recommended
#4488Display Post Types – Post Grid, post list and post sliders5924147k+Output is not escaped
#4489Fathom Analytics Conversions591447400Non-prefixed function
#4490File Upload For WPForms – Filenzo598161k+Output is not escaped
#4491flowpaper59133110k+Non-prefixed function
#4492GDPR Data Request Form5922195k+Missing direct file access protection
#4493Getty Images5911462k+Missing nonce verification
#4494Gravity Forms: Notification Attachments59187500Output is not escaped
#4495Gravity Forms Approvals Add-On59176800Output is not escaped
#4496GravityWP – Merge Tags59161722k+Non-prefixed global variable
#4497MapGeo – Interactive Geo Maps59145140k+Non-prefixed hook name
#4498JetSticky For Elementor59133830k+Nonce verification recommended
#4499Lazy Loader596249k+Nonce verification recommended
#4500Logo or Image Replace by mycore.global593012400Text Domain Mismatch