WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4651Icon Element – Icon Pack for Elementor Page Builder (6718 icons)64301640k+wp function not compatible with requires wp
#4652Inactive Logout64307110k+Non-prefixed global variable
#4653Integrate Firebase64267500Output is not escaped
#4654Kama SpamBlock642975k+Short PHP open tag found
#4655Moosend Website Connector6415121k+Non Singular String Literal Domain
#4656Nofollow for external link648510k+Output is not escaped
#4657Pageviews6415121k+Missing Translators Comment
#4658Send From64518500Input is not sanitized
#4659SMK Sidebar Generator6419510k+Output is not escaped
#4660Stag Custom Sidebars6410122k+Text Domain Mismatch
#4661Stancer for WooCommerce642108400Non-prefixed global variable
#4662Oceanwp sticky header6481310k+Missing nonce verification
#4663Twitter6427239k+Missing Translators Comment
#4664WProofreader spell & grammar check plugin for WordPress6412434k+Non-prefixed global variable
#4665WP Search with Algolia6427167k+Missing direct file access protection
#4666WP Term Order642266k+Nonce verification recommended
#4667YaMaps for WordPress Plugin64213010k+Non-prefixed global variable
#4668AdSimple Cookie Consent Banner6555109600wp function not compatible with requires wp
#4669Authorizer653545k+Nonce verification recommended
#4670Contact Form 7 – Success Page Redirects6551510k+Input is not sanitized
#4671Custom Global Variables6514125k+Output is not escaped
#4672Custom Share Buttons with Floating Sidebar65164204k+Text Domain Mismatch
#4673Cyr to Lat Reloaded – Transliteration of Links and File Names65133630k+Direct Query
#4674Disable REST API65121580k+Output is not escaped
#4675Dojo for WooCommerce657113800Text Domain Mismatch
#4676EDD Hide Download651313600Output is not escaped
#4677Live Chat with Messenger Customer Chat6510233k+Input is not sanitized
#4678Featured Galleries6515103k+Output is not escaped
#4679HTACCESS IP Blocker655142k+Missing nonce verification
#4680Multi Image Metabox651786k+Output is not escaped
#4681MW WP Form reCAPTCHA6511142k+Input is not sanitized
#4682Read More Excerpt Link651983k+Output is not escaped
#4683Redirect 404 to Home Page – Custom URL657114k+Output is not escaped
#4684Slider Revolution Search Replace65514900Input is not validated
#4685SocketLabs651518900Output is not escaped
#4686VK Link Target Controller65131030k+Output is not escaped
#4687Websitescanner Custom Schema652819600wp function not compatible with requires wp
#4688Add to Cart Text Changer and Customize Button, Add Custom Icon6587182k+Text Domain Mismatch
#4689Ajaxify Comments – Ajax and Lazy Loading Comments6520383k+Non-prefixed hook name
#4690WP-Farsi652636600Non-prefixed function
#4691WP Max Submit Protect651912400Output is not escaped
#4692AC Advanced Flamingo Settings66632700Nonce verification recommended
#4693ACF: Rus-To-Lat6615112k+Output is not escaped
#4694WPAdmin AWS CDN6616142400Text Domain Mismatch
#4695Bopo – WooCommerce Product Bundle Builder661371351k+Text Domain Mismatch
#4696Bulk Term Generator – Import multiple tags, categories, and taxonomies easily668312k+Request data is not unslashed
#4697Calculated fields for ACF665181k+Non-prefixed global variable
#4698Social comments by WpDevArt669198k+Missing Version
#4699Cookie Warning661415700Non-prefixed function
#4700Custom Author Byline66118500Output is not escaped