WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4451 | Zoho Billing – Embed Payment Form | 57 | 22 | 10 | 400 | Output is not escaped | ||
| #4452 | Admin Page Notes | 58 | 17 | 15 | 700 | Text Domain Mismatch | ||
| #4453 | Web Accessibility Toolkit – Accessibility Checker & ARIA for WCAG, Section 508 & ADA Compliance | 58 | 9 | 20 | 500 | Output is not escaped | ||
| #4454 | Basic User Avatars | 58 | 17 | 7 | 20k+ | Output is not escaped | ||
| #4455 | BCM Duplicate Menu | 58 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #4456 | Debloat – Remove Unused CSS, Optimize JS | 58 | 24 | 20 | 30k+ | Nonce verification recommended | ||
| #4457 | Departamentos y Ciudades de Colombia para Woocommerce | 58 | 49 | 42 | 6k+ | Text Domain Mismatch | ||
| #4458 | Error Log Viewer by BestWebSoft | 58 | 433 | 172 | 6k+ | Text Domain Mismatch | ||
| #4459 | Flexible FAQ | 58 | 27 | 26 | 1k+ | Text Domain Mismatch | ||
| #4460 | Go Redirects URL Forwarder | 58 | 17 | 14 | 1k+ | Output is not escaped | ||
| #4461 | Gutenverse Form – Contact Form Builder, Block Form & Booking Form | 58 | 17 | 48 | 10k+ | Nonce verification recommended | ||
| #4462 | HAL | 58 | 106 | 24 | 500 | Text Domain Mismatch | ||
| #4463 | Menu Swapper | 58 | 20 | 14 | 3k+ | Output is not escaped | ||
| #4464 | Nginx Cache | 58 | 12 | 8 | 10k+ | Unsafe printing function | ||
| #4465 | WP Online Active Users | 58 | 26 | 45 | 2k+ | Non-prefixed global variable | ||
| #4466 | PageLoader Lite – Loading Screen | 58 | 29 | 17 | 700 | Output is not escaped | ||
| #4467 | Quickcreator – AI Blog Writer | 58 | 14 | 18 | 500 | Exception output is not escaped | ||
| #4468 | Remove CPT base | 58 | 15 | 16 | 10k+ | Input is not sanitized | ||
| #4469 | Responsive Select Menu | 58 | 29 | 27 | 3k+ | Output is not escaped | ||
| #4470 | REVIEWS.io for WooCommerce | 58 | 71 | 161 | 1k+ | Non-prefixed global variable | ||
| #4471 | Safety Exit | 58 | 52 | 26 | 1k+ | Text Domain Mismatch | ||
| #4472 | Simple Back To Top | 58 | 15 | 43 | 3k+ | Non-prefixed global variable | ||
| #4473 | Simple CSS for widgets | 58 | 11 | 15 | 1k+ | Missing nonce verification | ||
| #4474 | SportsPress for Basketball | 58 | 104 | 34 | 1k+ | Text Domain Mismatch | ||
| #4475 | SportsPress for Football (Soccer) | 58 | 107 | 34 | 6k+ | Text Domain Mismatch | ||
| #4476 | SportsPress for Volleyball | 58 | 107 | 34 | 500 | Text Domain Mismatch | ||
| #4477 | Super Simple Event Calendar | 58 | 8 | 24 | 600 | Request data is not unslashed | ||
| #4478 | UiCore Elements – Free widgets and templates for Elementor | 58 | 29 | 30 | 40k+ | Output is not escaped | ||
| #4479 | Videopack | 58 | 28 | 108 | 10k+ | Input is not sanitized | ||
| #4480 | View Admin As | 58 | 307 | 135 | 9k+ | Non Singular String Literal Domain | ||
| #4481 | Cloak Affiliate Links for WooCommerce | 58 | 28 | 6 | 2k+ | Non Singular String Literal Domain | ||
| #4482 | Age Gator | 59 | 9 | 15 | 400 | Direct Query | ||
| #4483 | AudioIgniter Music Player | 59 | 53 | 10k+ | Input is not validated | |||
| #4484 | Posts Order | 59 | 59 | 20 | 1k+ | Text Domain Mismatch | ||
| #4485 | Co-Authors Plus | 59 | 2 | 76 | 20k+ | Input is not sanitized | ||
| #4486 | Cresta Posts Box | 59 | 10 | 13 | 1k+ | Output is not escaped | ||
| #4487 | Disabled Source, Disabled Right Click and Content Protection | 59 | 6 | 33 | 10k+ | Nonce verification recommended | ||
| #4488 | Display Post Types – Post Grid, post list and post sliders | 59 | 24 | 14 | 7k+ | Output is not escaped | ||
| #4489 | Fathom Analytics Conversions | 59 | 14 | 47 | 400 | Non-prefixed function | ||
| #4490 | File Upload For WPForms – Filenzo | 59 | 8 | 16 | 1k+ | Output is not escaped | ||
| #4491 | flowpaper | 59 | 13 | 31 | 10k+ | Non-prefixed function | ||
| #4492 | GDPR Data Request Form | 59 | 22 | 19 | 5k+ | Missing direct file access protection | ||
| #4493 | Getty Images | 59 | 11 | 46 | 2k+ | Missing nonce verification | ||
| #4494 | Gravity Forms: Notification Attachments | 59 | 18 | 7 | 500 | Output is not escaped | ||
| #4495 | Gravity Forms Approvals Add-On | 59 | 17 | 6 | 800 | Output is not escaped | ||
| #4496 | GravityWP – Merge Tags | 59 | 16 | 172 | 2k+ | Non-prefixed global variable | ||
| #4497 | MapGeo – Interactive Geo Maps | 59 | 14 | 51 | 40k+ | Non-prefixed hook name | ||
| #4498 | JetSticky For Elementor | 59 | 13 | 38 | 30k+ | Nonce verification recommended | ||
| #4499 | Lazy Loader | 59 | 6 | 24 | 9k+ | Nonce verification recommended | ||
| #4500 | Logo or Image Replace by mycore.global | 59 | 30 | 12 | 400 | Text Domain Mismatch |