WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4651 | Icon Element – Icon Pack for Elementor Page Builder (6718 icons) | 64 | 30 | 16 | 40k+ | wp function not compatible with requires wp | ||
| #4652 | Inactive Logout | 64 | 30 | 71 | 10k+ | Non-prefixed global variable | ||
| #4653 | Integrate Firebase | 64 | 26 | 7 | 500 | Output is not escaped | ||
| #4654 | Kama SpamBlock | 64 | 29 | 7 | 5k+ | Short PHP open tag found | ||
| #4655 | Moosend Website Connector | 64 | 15 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #4656 | Nofollow for external link | 64 | 8 | 5 | 10k+ | Output is not escaped | ||
| #4657 | Pageviews | 64 | 15 | 12 | 1k+ | Missing Translators Comment | ||
| #4658 | Send From | 64 | 5 | 18 | 500 | Input is not sanitized | ||
| #4659 | SMK Sidebar Generator | 64 | 19 | 5 | 10k+ | Output is not escaped | ||
| #4660 | Stag Custom Sidebars | 64 | 10 | 12 | 2k+ | Text Domain Mismatch | ||
| #4661 | Stancer for WooCommerce | 64 | 2 | 108 | 400 | Non-prefixed global variable | ||
| #4662 | Oceanwp sticky header | 64 | 8 | 13 | 10k+ | Missing nonce verification | ||
| #4663 | 64 | 27 | 23 | 9k+ | Missing Translators Comment | |||
| #4664 | WProofreader spell & grammar check plugin for WordPress | 64 | 12 | 43 | 4k+ | Non-prefixed global variable | ||
| #4665 | WP Search with Algolia | 64 | 27 | 16 | 7k+ | Missing direct file access protection | ||
| #4666 | WP Term Order | 64 | 2 | 26 | 6k+ | Nonce verification recommended | ||
| #4667 | YaMaps for WordPress Plugin | 64 | 21 | 30 | 10k+ | Non-prefixed global variable | ||
| #4668 | AdSimple Cookie Consent Banner | 65 | 55 | 109 | 600 | wp function not compatible with requires wp | ||
| #4669 | Authorizer | 65 | 3 | 54 | 5k+ | Nonce verification recommended | ||
| #4670 | Contact Form 7 – Success Page Redirects | 65 | 5 | 15 | 10k+ | Input is not sanitized | ||
| #4671 | Custom Global Variables | 65 | 14 | 12 | 5k+ | Output is not escaped | ||
| #4672 | Custom Share Buttons with Floating Sidebar | 65 | 164 | 20 | 4k+ | Text Domain Mismatch | ||
| #4673 | Cyr to Lat Reloaded – Transliteration of Links and File Names | 65 | 13 | 36 | 30k+ | Direct Query | ||
| #4674 | Disable REST API | 65 | 12 | 15 | 80k+ | Output is not escaped | ||
| #4675 | Dojo for WooCommerce | 65 | 71 | 13 | 800 | Text Domain Mismatch | ||
| #4676 | EDD Hide Download | 65 | 13 | 13 | 600 | Output is not escaped | ||
| #4677 | Live Chat with Messenger Customer Chat | 65 | 10 | 23 | 3k+ | Input is not sanitized | ||
| #4678 | Featured Galleries | 65 | 15 | 10 | 3k+ | Output is not escaped | ||
| #4679 | HTACCESS IP Blocker | 65 | 5 | 14 | 2k+ | Missing nonce verification | ||
| #4680 | Multi Image Metabox | 65 | 17 | 8 | 6k+ | Output is not escaped | ||
| #4681 | MW WP Form reCAPTCHA | 65 | 11 | 14 | 2k+ | Input is not sanitized | ||
| #4682 | Read More Excerpt Link | 65 | 19 | 8 | 3k+ | Output is not escaped | ||
| #4683 | Redirect 404 to Home Page – Custom URL | 65 | 7 | 11 | 4k+ | Output is not escaped | ||
| #4684 | Slider Revolution Search Replace | 65 | 5 | 14 | 900 | Input is not validated | ||
| #4685 | SocketLabs | 65 | 15 | 18 | 900 | Output is not escaped | ||
| #4686 | VK Link Target Controller | 65 | 13 | 10 | 30k+ | Output is not escaped | ||
| #4687 | Websitescanner Custom Schema | 65 | 28 | 19 | 600 | wp function not compatible with requires wp | ||
| #4688 | Add to Cart Text Changer and Customize Button, Add Custom Icon | 65 | 87 | 18 | 2k+ | Text Domain Mismatch | ||
| #4689 | Ajaxify Comments – Ajax and Lazy Loading Comments | 65 | 20 | 38 | 3k+ | Non-prefixed hook name | ||
| #4690 | WP-Farsi | 65 | 26 | 36 | 600 | Non-prefixed function | ||
| #4691 | WP Max Submit Protect | 65 | 19 | 12 | 400 | Output is not escaped | ||
| #4692 | AC Advanced Flamingo Settings | 66 | 6 | 32 | 700 | Nonce verification recommended | ||
| #4693 | ACF: Rus-To-Lat | 66 | 15 | 11 | 2k+ | Output is not escaped | ||
| #4694 | WPAdmin AWS CDN | 66 | 161 | 42 | 400 | Text Domain Mismatch | ||
| #4695 | Bopo – WooCommerce Product Bundle Builder | 66 | 137 | 135 | 1k+ | Text Domain Mismatch | ||
| #4696 | Bulk Term Generator – Import multiple tags, categories, and taxonomies easily | 66 | 8 | 31 | 2k+ | Request data is not unslashed | ||
| #4697 | Calculated fields for ACF | 66 | 5 | 18 | 1k+ | Non-prefixed global variable | ||
| #4698 | Social comments by WpDevArt | 66 | 9 | 19 | 8k+ | Missing Version | ||
| #4699 | Cookie Warning | 66 | 14 | 15 | 700 | Non-prefixed function | ||
| #4700 | Custom Author Byline | 66 | 11 | 8 | 500 | Output is not escaped |