WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4701 | Duplicate Menu | 66 | 11 | 7 | 100k+ | Unsafe printing function | ||
| #4702 | Easy PHP Settings | 66 | 34 | 48 | 1k+ | Missing Translators Comment | ||
| #4703 | Elementic | 66 | 22 | 9 | 900 | Text Domain Mismatch | ||
| #4704 | Estatik Mortgage Calculator | 66 | 22 | 6 | 1k+ | Output is not escaped | ||
| #4705 | FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration | 66 | 26 | 30 | 6k+ | Missing direct file access protection | ||
| #4706 | Goaffpro Affiliate Marketing | 66 | 6 | 28 | 4k+ | Nonce verification recommended | ||
| #4707 | Hide Title | 66 | 13 | 6 | 30k+ | Output is not escaped | ||
| #4708 | HiFi (Head Injection, Foot Injection) | 66 | 13 | 11 | 2k+ | Output is not escaped | ||
| #4709 | Leadpages | 66 | 6 | 62 | 10k+ | Direct Query | ||
| #4710 | Page Title Splitter | 66 | 29 | 8 | 1k+ | wp function not compatible with requires wp | ||
| #4711 | Page Meta | 66 | 26 | 14 | 700 | Missing Arg Domain | ||
| #4712 | Plugin Compatibility Checker | 66 | 73 | 18 | 9k+ | Text Domain Mismatch | ||
| #4713 | Product Code for WooCommerce | 66 | 13 | 54 | 1k+ | Missing direct file access protection | ||
| #4714 | Product Size Chart For WooCommerce | 66 | 9 | 22 | 6k+ | Non-prefixed hook name | ||
| #4715 | Raw HTML | 66 | 17 | 35 | 10k+ | Non-prefixed function | ||
| #4716 | Safe Redirect Manager | 66 | 9 | 60 | 40k+ | Non-prefixed hook name | ||
| #4717 | User Profile Picture | 66 | 9 | 8 | 4k+ | Missing nonce verification | ||
| #4718 | Visual Link Preview | 66 | 47 | 2 | 10k+ | Output is not escaped | ||
| #4719 | Ajax add to cart for WooCommerce | 66 | 67 | 31 | 10k+ | Text Domain Mismatch | ||
| #4720 | WP Simple Adsense Insertion | 66 | 3 | 29 | 3k+ | Input is not validated | ||
| #4721 | WP Anti-Clickjack | 66 | 4 | 42 | 4k+ | Nonce verification recommended | ||
| #4722 | WP Multisite User Sync/Unsync | 66 | 15 | 31 | 700 | Missing Arg Domain | ||
| #4723 | WP Term Images | 66 | 4 | 18 | 2k+ | Nonce verification recommended | ||
| #4724 | Raptive Ads | 67 | 34 | 31 | 6k+ | Text Domain Mismatch | ||
| #4725 | Affiliates Manager Google reCAPTCHA Integration | 67 | 18 | 10 | 400 | Request data is not unslashed | ||
| #4726 | Awesome Contact Form7 for Elementor | 67 | 20 | 30 | 7k+ | Non-prefixed global variable | ||
| #4727 | Breadcrumbs Divi Module | 67 | 44 | 38 | 10k+ | Text Domain Mismatch | ||
| #4728 | Caddy – WooCommerce Side Cart & Free Shipping Bar | 67 | 38 | 199 | 3k+ | Non-prefixed global variable | ||
| #4729 | Card Elements for Elementor | 67 | 15 | 116 | 3k+ | Non-prefixed global variable | ||
| #4730 | CCM19 Integration | 67 | 14 | 13 | 4k+ | Nonce verification recommended | ||
| #4731 | Duplicate TEC Event | 67 | 12 | 10 | 900 | date date | ||
| #4732 | Easy Media Replace | 67 | 16 | 14 | 1k+ | Output is not escaped | ||
| #4733 | EU Cookies Bar for WordPress | 67 | 3 | 69 | 9k+ | Request data is not unslashed | ||
| #4734 | Forget Spam Comment | 67 | 5 | 10 | 10k+ | Input is not sanitized | ||
| #4735 | Hide Page And Post Title | 67 | 11 | 8 | 40k+ | Output is not escaped | ||
| #4736 | Hide Plugins | 67 | 7 | 15 | 1k+ | Nonce verification recommended | ||
| #4737 | Kraken.io Image Optimizer – Compress, Convert to WebP & AVIF, Resize & Bulk Optimize | 67 | 293 | 80 | 9k+ | Text Domain Mismatch | ||
| #4738 | Leadster | 67 | 6 | 10 | 4k+ | Non-prefixed function | ||
| #4739 | Mailster Gmail Integration | 67 | 15 | 13 | 1k+ | Missing Translators Comment | ||
| #4740 | Manage Upload Types | 67 | 7 | 13 | 400 | Output is not escaped | ||
| #4741 | MetaTag | 67 | 7 | 13 | 600 | Input is not validated | ||
| #4742 | Missed Schedule Post Publisher | 67 | 11 | 10 | 7k+ | Output is not escaped | ||
| #4743 | Mosaic Gallery – Advanced Gallery | 67 | 45 | 79 | 3k+ | Non-prefixed global variable | ||
| #4744 | Mouse cursor customizer | 67 | 5 | 38 | 1k+ | Missing nonce verification | ||
| #4745 | Notely | 67 | 6 | 17 | 600 | Non-prefixed function | ||
| #4746 | onOffice for WP-Websites | 67 | 5 | 507 | 1k+ | Non-prefixed global variable | ||
| #4747 | Per Page Sidebars | 67 | 12 | 11 | 900 | Input is not validated | ||
| #4748 | Product Specifications for Woocommerce | 67 | 12 | 80 | 1k+ | Non-prefixed global variable | ||
| #4749 | Product Variations Swatches for WooCommerce | 67 | 8 | 136 | 10k+ | Non-prefixed global variable | ||
| #4750 | Safelayout Elegant Icons – WordPress icons | 67 | 3 | 17 | 700 | Input is not validated |