WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4851Support Me70126900Unsafe printing function
#4852Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups.7031,4463k+Non-prefixed global variable
#4853User Location and IP70225400Input is not sanitized
#4854Block Emails & Addresses for WooCommerce Checkout70412700error log set error handler
#4855Bulk Price Update for Woocommerce702282k+Request data is not unslashed
#4856Cart All In One For WooCommerce7061505k+Non-prefixed global variable
#4857Related Products for WooCommerce7012123k+Setting is missing a sanitization callback
#4858Quick Buy For Woocommerce70105221k+Text Domain Mismatch
#4859Post Template701211400Missing nonce verification
#4860Yampi Checkout70610900Nonce verification recommended
#4861aapanel WP Toolkit7120182k+wp function not compatible with requires wp
#4862Web Accessibility with Max Access712211800curl curl setopt
#4863Add Any Extension to Pages713102k+Input is not sanitized
#4864Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder7121207700Non-prefixed global variable
#4865Contact Form 7 Confirm Email Field7135112k+Text Domain Mismatch
#4866Cresta Social Messenger719101k+Non-prefixed function
#4867Event SEO: Event Schema / Structured Data: Google Rich Snippet Schema for Event712449700Non-prefixed global variable
#4868GPX Viewer711026900Missing Version
#4869Link Checker Pro716254k+Non-prefixed function
#4870Privyr CRM – Instant Lead Alerts for Contact Forms712254k+Non-prefixed function
#4871Tax Switch for WooCommerce71320900Non-prefixed hook name
#4872WindPress – Tailwind CSS integration for WordPress71161063k+Non-prefixed hook name
#4873WooCommerce Shipping714870k+Direct Query
#4874Woorise – Landing Pages, Forms & Surveys718141k+Input is not sanitized
#4875WP 4 Me Title Remover7117131k+Missing direct file access protection
#4876Multi-Step Checkout for WooCommerce71381048k+Non-prefixed global variable
#4877WP No Base Permalink7181010k+Unsafe printing function
#4878WP Widget in Navigation7137153k+Non Singular String Literal Domain
#4879Zapier for WordPress71112150k+Input is not sanitized
#4880Web Accessibility by accessiBe7212510k+Input is not sanitized
#4881Archiiv72630400Non-prefixed global variable
#4882BB Delete cache723151k+Input is not sanitized
#4883Chap Secure Password Login72137600Input is not validated
#4884Contact Form 7 Leads Tracking72323600Input is not sanitized
#4885Disclaimify – Affiliate Disclosure / Disclaimer for WordPress722191k+Missing nonce verification
#4886PowerBI Embed Reports72320500Nonce verification recommended
#4887EU Order Withdrawal Button for WooCommerce72524064k+Non-prefixed hook name
#4888Getsitecontrol — Email Marketing Plugin | Popup Maker, Automations & Newsletters7217111k+wp function not compatible with requires wp
#4889Gift Wrapping for WooCommerce722161k+Missing nonce verification
#4890Login Logout Menu7272020k+Input is not sanitized
#4891Media File Sizes721451k+Output is not escaped
#4892Minimal Maintenance Mode72120600Missing nonce verification
#4893Post Types Unlimited7245710k+Missing Translators Comment
#4894Root Relative URLs729106k+Input is not sanitized
#4895Shipping Rate By Cities72421700Direct Query
#4896Simple Local Avatars721416100k+Non-prefixed constant
#4897Webyx for Gutenberg – Fullpage Fullscreen Scrolling Websites721411700Output is not escaped
#4898Customizer for WooCommerce721013800Nonce verification recommended
#4899Direct Checkout for WooCommerce72773580k+Text Domain Mismatch
#4900Bestfreebie Elementor Icons732713400Text Domain Mismatch