WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4801 | Debug | 69 | 25 | 34 | 2k+ | Input is not sanitized | ||
| #4802 | Disable Users | 69 | 11 | 9 | 2k+ | Text Domain Mismatch | ||
| #4803 | DOKU Payment | 69 | 53 | 46 | 500 | wp function not compatible with requires wp | ||
| #4804 | ELEX WooCommerce Bulk Edit Products, Prices & Attributes (Basic) | 69 | 511 | 51 | 4k+ | Text Domain Mismatch | ||
| #4805 | ELEX WooCommerce Discount Per Payment Method | 69 | 60 | 39 | 1k+ | Text Domain Mismatch | ||
| #4806 | Embed Iframe | 69 | 25 | 6 | 2k+ | wp function not compatible with requires wp | ||
| #4807 | GDPR Compliance for Mailchimp | 69 | 7 | 15 | 2k+ | Missing nonce verification | ||
| #4808 | Google Plus Authorship | 69 | 6 | 15 | 1k+ | trademarked term | ||
| #4809 | GZSEO | 69 | 3 | 66 | 400 | Direct Query | ||
| #4810 | 简数采集器 | 69 | 5 | 25 | 1k+ | Request data is not unslashed | ||
| #4811 | Mailster WordPress Newsletter Plugin | 69 | 14 | 11 | 8k+ | Output is not escaped | ||
| #4812 | Media Slider for Photos Images Videos | 69 | 10 | 23 | 2k+ | Missing Version | ||
| #4813 | PDF.js Viewer | 69 | 14 | 38 | 20k+ | Non-prefixed global variable | ||
| #4814 | Rename Taxonomies by WebMan | 69 | 32 | 7 | 1k+ | Missing Arg Domain | ||
| #4815 | Scroll Down Arrow | 69 | 30 | 30 | 800 | Missing Arg Domain | ||
| #4816 | Search & Filter | 69 | 21 | 28 | 50k+ | Input is not sanitized | ||
| #4817 | Simple Login Lockdown | 69 | 13 | 6 | 4k+ | Output is not escaped | ||
| #4818 | SlingBlocks – Gutenberg Blocks by FunnelKit (Formerly WooFunnels) | 69 | 17 | 952 | 7k+ | Non-prefixed global variable | ||
| #4819 | Sticky Header Effects for Elementor | 69 | 354 | 71 | 300k+ | Text Domain Mismatch | ||
| #4820 | Easy Username Updater | 69 | 19 | 28 | 10k+ | Missing Arg Domain | ||
| #4821 | VWE – Voorheen Autodealers.nl | 69 | 23 | 10 | 500 | curl curl setopt | ||
| #4822 | WC Variations Radio Buttons | 69 | 12 | 21 | 3k+ | Non-prefixed global variable | ||
| #4823 | WP Mapa Politico España | 69 | 32 | 12 | 400 | Output is not escaped | ||
| #4824 | WP referrer spam blacklist (fight 2040+ Referrer Spammers in (Google/Matomo) Analytics) | 69 | 9 | 24 | 700 | Non-prefixed constant | ||
| #4825 | Zapper Payments | 69 | 11 | 11 | 600 | Output is not escaped | ||
| #4826 | Add Widget After Content | 70 | 6 | 11 | 7k+ | Setting is missing a sanitization callback | ||
| #4827 | Checkfront Online Booking System | 70 | 32 | 16 | 2k+ | wp function not compatible with requires wp | ||
| #4828 | Comment Form CSRF Protection | 70 | 7 | 10 | 500 | Request data is not unslashed | ||
| #4829 | Comment Form Js Validation | 70 | 23 | 8 | 2k+ | Missing Arg Domain | ||
| #4830 | Lead info with country for Contact Form 7 | 70 | 25 | 28 | 3k+ | Text Domain Mismatch | ||
| #4831 | ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators | 70 | 9 | 12 | 800 | Output is not escaped | ||
| #4832 | Gutenberg Blocks Templates – 50+ Free Gutenberg Block Designs | 70 | 2 | 23 | 700 | Request data is not unslashed | ||
| #4833 | Easy Hotel – Powerful Hotel Booking | 70 | 4 | 1,900 | 800 | Non-prefixed global variable | ||
| #4834 | fitness calculators | 70 | 94 | 25 | 600 | Missing Arg Domain | ||
| #4835 | Free Gift Product For WooCommerce | 70 | 9 | 77 | 800 | Non-prefixed global variable | ||
| #4836 | Host Header Injection Fix | 70 | 9 | 8 | 400 | Output is not escaped | ||
| #4837 | Multipart robots.txt editor | 70 | 19 | 8 | 1k+ | Output is not escaped | ||
| #4838 | PipraPay Gateway | 70 | 11 | 6 | 400 | Output is not escaped | ||
| #4839 | Portfolio Post Type | 70 | 7 | 11 | 50k+ | Nonce verification recommended | ||
| #4840 | Press This | 70 | 1 | 44 | 5k+ | Non-prefixed hook name | ||
| #4841 | Remove Taxonomy Base Slug | 70 | 12 | 18 | 5k+ | Deprecated parameter: get_terms parameter 2 | ||
| #4842 | Search and Replace | 70 | 7 | 9 | 10k+ | Input is not sanitized | ||
| #4843 | Show-Hide / Collapse-Expand | 70 | 18 | 15 | 10k+ | Missing direct file access protection | ||
| #4844 | Show IP address | 70 | 6 | 20 | 1k+ | Input is not sanitized | ||
| #4845 | Simple Post Notes | 70 | 5 | 16 | 9k+ | Request data is not unslashed | ||
| #4846 | Spocket ‑ US & EU Dropshipping | 70 | 15 | 31 | 1k+ | Direct Query | ||
| #4847 | SQL Executioner | 70 | 18 | 17 | 2k+ | Non-prefixed global variable | ||
| #4848 | SubHeading | 70 | 22 | 13 | 1k+ | Non Singular String Literal Domain | ||
| #4849 | Support Me | 70 | 12 | 6 | 900 | Unsafe printing function | ||
| #4850 | Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. | 70 | 3 | 1,446 | 3k+ | Non-prefixed global variable |