WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4701Duplicate Menu66117100k+Unsafe printing function
#4702Easy PHP Settings6634481k+Missing Translators Comment
#4703Elementic66229900Text Domain Mismatch
#4704Estatik Mortgage Calculator662261k+Output is not escaped
#4705FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration6626306k+Missing direct file access protection
#4706Goaffpro Affiliate Marketing666284k+Nonce verification recommended
#4707Hide Title6613630k+Output is not escaped
#4708HiFi (Head Injection, Foot Injection)6613112k+Output is not escaped
#4709Leadpages6666210k+Direct Query
#4710Page Title Splitter662981k+wp function not compatible with requires wp
#4711Page Meta662614700Missing Arg Domain
#4712Plugin Compatibility Checker6673189k+Text Domain Mismatch
#4713Product Code for WooCommerce6613541k+Missing direct file access protection
#4714Product Size Chart For WooCommerce669226k+Non-prefixed hook name
#4715Raw HTML66173510k+Non-prefixed function
#4716Safe Redirect Manager6696040k+Non-prefixed hook name
#4717User Profile Picture66984k+Missing nonce verification
#4718Visual Link Preview6647210k+Output is not escaped
#4719Ajax add to cart for WooCommerce66673110k+Text Domain Mismatch
#4720WP Simple Adsense Insertion663293k+Input is not validated
#4721WP Anti-Clickjack664424k+Nonce verification recommended
#4722WP Multisite User Sync/Unsync661531700Missing Arg Domain
#4723WP Term Images664182k+Nonce verification recommended
#4724Raptive Ads6734316k+Text Domain Mismatch
#4725Affiliates Manager Google reCAPTCHA Integration671810400Request data is not unslashed
#4726Awesome Contact Form7 for Elementor6720307k+Non-prefixed global variable
#4727Breadcrumbs Divi Module67443810k+Text Domain Mismatch
#4728Caddy – WooCommerce Side Cart & Free Shipping Bar67381993k+Non-prefixed global variable
#4729Card Elements for Elementor67151163k+Non-prefixed global variable
#4730CCM19 Integration6714134k+Nonce verification recommended
#4731Duplicate TEC Event671210900date date
#4732Easy Media Replace6716141k+Output is not escaped
#4733EU Cookies Bar for WordPress673699k+Request data is not unslashed
#4734Forget Spam Comment6751010k+Input is not sanitized
#4735Hide Page And Post Title6711840k+Output is not escaped
#4736Hide Plugins677151k+Nonce verification recommended
#4737Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize67293809k+Text Domain Mismatch
#4738Leadster676104k+Non-prefixed function
#4739Mailster Gmail Integration6715131k+Missing Translators Comment
#4740Manage Upload Types67713400Output is not escaped
#4741MetaTag67713600Input is not validated
#4742Missed Schedule Post Publisher6711107k+Output is not escaped
#4743Mosaic Gallery – Advanced Gallery6745793k+Non-prefixed global variable
#4744Mouse cursor customizer675381k+Missing nonce verification
#4745Notely67617600Non-prefixed function
#4746onOffice for WP-Websites6755071k+Non-prefixed global variable
#4747Per Page Sidebars671211900Input is not validated
#4748Product Specifications for Woocommerce6712801k+Non-prefixed global variable
#4749Product Variations Swatches for WooCommerce67813610k+Non-prefixed global variable
#4750Safelayout Elegant Icons – WordPress icons67317700Input is not validated