WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4751 | Cart links for WooCommerce | 67 | 13 | 16 | 500 | Text Domain Mismatch | ||
| #4752 | WP Forms + Sprout Invoices – Easy Invoice & Quote Submissions | 67 | 40 | 12 | 400 | Text Domain Mismatch | ||
| #4753 | Theme Check | 67 | 143 | 6 | 20k+ | Missing Translators Comment | ||
| #4754 | Expand Tabs for WooCommerce | 67 | 10 | 57 | 1k+ | Non-prefixed global variable | ||
| #4755 | WP Image Zoom | 67 | 30 | 46 | 10k+ | Non-prefixed global variable | ||
| #4756 | WP SMTP Mailer – SMTP7 | 67 | 2 | 33 | 9k+ | Request data is not unslashed | ||
| #4757 | WP Notification Bars | 67 | 13 | 32 | 10k+ | Request data is not unslashed | ||
| #4758 | WP Post Branches | 67 | 16 | 12 | 4k+ | Nonce verification recommended | ||
| #4759 | Book Previewer for Woocommerce | 68 | 23 | 40 | 1k+ | Non-prefixed global variable | ||
| #4760 | Booter – Bots & Crawlers Manager | 68 | 81 | 7k+ | Non-prefixed global variable | |||
| #4761 | Member Swipe for BuddyPress | 68 | 9 | 13 | 500 | Missing direct file access protection | ||
| #4762 | Category Featured Images | 68 | 5 | 12 | 600 | Input is not sanitized | ||
| #4763 | Clearout Email Validator – Real-Time Email Verification on WordPress Forms | 68 | 21 | 80 | 600 | Non-prefixed function | ||
| #4764 | Comment Approved | 68 | 6 | 14 | 500 | Input is not sanitized | ||
| #4765 | Controls for Contact Form 7 (Redirects, Analytics & Tracking) | 68 | 4 | 14 | 10k+ | Missing nonce verification | ||
| #4766 | ConvertBox Auto Embed WordPress plugin | 68 | 18 | 10 | 5k+ | Missing direct file access protection | ||
| #4767 | Default Attributes for WooCommerce | 68 | 22 | 18 | 400 | Non-prefixed hook name | ||
| #4768 | Desert Companion | 68 | 412 | 837 | 20k+ | Non-prefixed global variable | ||
| #4769 | Expire Sticky Posts | 68 | 16 | 8 | 1k+ | Text Domain Mismatch | ||
| #4770 | Faire for WooCommerce | 68 | 4 | 86 | 800 | Direct Query | ||
| #4771 | Fatal Error Notify | 68 | 10 | 12 | 6k+ | Request data is not unslashed | ||
| #4772 | Featured Video for WooCommerce | 68 | 40 | 13 | 700 | Text Domain Mismatch | ||
| #4773 | Free Assets Library – Openverse/Pixabay 600+ Million Images | 68 | 44 | 36 | 4k+ | Text Domain Mismatch | ||
| #4774 | WCAG 2.0 form fields for Gravity Forms | 68 | 11 | 13 | 5k+ | Output is not escaped | ||
| #4775 | Mailster Contact Form 7 | 68 | 35 | 20 | 1k+ | Text Domain Mismatch | ||
| #4776 | ミエルカヒートマップ タグマネージャー | 68 | 9 | 11 | 800 | Input is not validated | ||
| #4777 | My Social Feeds – Social Feeds Embedder Plugin for WP | 68 | 1 | 30 | 400 | Nonce verification recommended | ||
| #4778 | One Stop Shop for WooCommerce | 68 | 23 | 83 | 10k+ | Input is not sanitized | ||
| #4779 | PagBank for WooCommerce | 68 | 8 | 36 | 3k+ | Input is not sanitized | ||
| #4780 | POS Entegratör – Gurmehub Ödeme Eklentisi | 68 | 1,321 | 69 | 1k+ | Text Domain Mismatch | ||
| #4781 | Protection Against DDoS | 68 | 22 | 5 | 3k+ | Output is not escaped | ||
| #4782 | Shiptastic Integration for DHL | 68 | 54 | 36 | 10k+ | Missing Translators Comment | ||
| #4783 | Slim Maintenance Mode | 68 | 9 | 10 | 10k+ | Output is not escaped | ||
| #4784 | Sortable Word Count Reloaded | 68 | 18 | 6 | 2k+ | Output is not escaped | ||
| #4785 | Title Toggle for Storefront Theme | 68 | 16 | 9 | 3k+ | Output is not escaped | ||
| #4786 | Template List Metabox | 68 | 14 | 10 | 900 | Missing Arg Domain | ||
| #4787 | Increase Maximum Upload File Size | 68 | 28 | 14 | 40k+ | Missing Arg Domain | ||
| #4788 | Video Tab For WooCommerce | 68 | 7 | 13 | 600 | Missing nonce verification | ||
| #4789 | WP and Divi Icons | 68 | 201 | 56 | 2k+ | wp function not compatible with requires wp | ||
| #4790 | WP Theme Changelogs | 68 | 13 | 18 | 900 | Nonce verification recommended | ||
| #4791 | WP User Avatars | 68 | 5 | 20 | 20k+ | Input is not sanitized | ||
| #4792 | Age Gate | 69 | 61 | 139 | 40k+ | Missing direct file access protection | ||
| #4793 | Automatic Domain Changer | 69 | 37 | 14 | 10k+ | Text Domain Mismatch | ||
| #4794 | CallRail Phone Call Tracking | 69 | 11 | 12 | 10k+ | Input is not validated | ||
| #4795 | CDN Enabler | 69 | 14 | 7 | 10k+ | Output is not escaped | ||
| #4796 | Contact Form 7 | 69 | 56 | 39 | 10m+ | Missing direct file access protection | ||
| #4797 | Contact Form 7: Accessible Defaults | 69 | 3 | 28 | 5k+ | Nonce verification recommended | ||
| #4798 | CryptX | 69 | 11 | 30 | 10k+ | Missing nonce verification | ||
| #4799 | Custom Category Template | 69 | 13 | 8 | 2k+ | Missing Arg Domain | ||
| #4800 | Custom Login URL | 69 | 16 | 17 | 1k+ | Missing Arg Domain |