WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4851 | Support Me | 70 | 12 | 6 | 900 | Unsafe printing function | ||
| #4852 | Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups. | 70 | 3 | 1,446 | 3k+ | Non-prefixed global variable | ||
| #4853 | User Location and IP | 70 | 2 | 25 | 400 | Input is not sanitized | ||
| #4854 | Block Emails & Addresses for WooCommerce Checkout | 70 | 4 | 12 | 700 | error log set error handler | ||
| #4855 | Bulk Price Update for Woocommerce | 70 | 2 | 28 | 2k+ | Request data is not unslashed | ||
| #4856 | Cart All In One For WooCommerce | 70 | 6 | 150 | 5k+ | Non-prefixed global variable | ||
| #4857 | Related Products for WooCommerce | 70 | 12 | 12 | 3k+ | Setting is missing a sanitization callback | ||
| #4858 | Quick Buy For Woocommerce | 70 | 105 | 22 | 1k+ | Text Domain Mismatch | ||
| #4859 | Post Template | 70 | 12 | 11 | 400 | Missing nonce verification | ||
| #4860 | Yampi Checkout | 70 | 6 | 10 | 900 | Nonce verification recommended | ||
| #4861 | aapanel WP Toolkit | 71 | 20 | 18 | 2k+ | wp function not compatible with requires wp | ||
| #4862 | Web Accessibility with Max Access | 71 | 22 | 11 | 800 | curl curl setopt | ||
| #4863 | Add Any Extension to Pages | 71 | 3 | 10 | 2k+ | Input is not sanitized | ||
| #4864 | Anant Addons for Elementor – Widgets, Templates & WooCommerce Builder | 71 | 21 | 207 | 700 | Non-prefixed global variable | ||
| #4865 | Contact Form 7 Confirm Email Field | 71 | 35 | 11 | 2k+ | Text Domain Mismatch | ||
| #4866 | Cresta Social Messenger | 71 | 9 | 10 | 1k+ | Non-prefixed function | ||
| #4867 | Event SEO: Event Schema / Structured Data: Google Rich Snippet Schema for Event | 71 | 24 | 49 | 700 | Non-prefixed global variable | ||
| #4868 | GPX Viewer | 71 | 10 | 26 | 900 | Missing Version | ||
| #4869 | Link Checker Pro | 71 | 6 | 25 | 4k+ | Non-prefixed function | ||
| #4870 | Privyr CRM – Instant Lead Alerts for Contact Forms | 71 | 2 | 25 | 4k+ | Non-prefixed function | ||
| #4871 | Tax Switch for WooCommerce | 71 | 3 | 20 | 900 | Non-prefixed hook name | ||
| #4872 | WindPress – Tailwind CSS integration for WordPress | 71 | 16 | 106 | 3k+ | Non-prefixed hook name | ||
| #4873 | WooCommerce Shipping | 71 | 48 | 70k+ | Direct Query | |||
| #4874 | Woorise – Landing Pages, Forms & Surveys | 71 | 8 | 14 | 1k+ | Input is not sanitized | ||
| #4875 | WP 4 Me Title Remover | 71 | 17 | 13 | 1k+ | Missing direct file access protection | ||
| #4876 | Multi-Step Checkout for WooCommerce | 71 | 38 | 104 | 8k+ | Non-prefixed global variable | ||
| #4877 | WP No Base Permalink | 71 | 8 | 10 | 10k+ | Unsafe printing function | ||
| #4878 | WP Widget in Navigation | 71 | 37 | 15 | 3k+ | Non Singular String Literal Domain | ||
| #4879 | Zapier for WordPress | 71 | 11 | 21 | 50k+ | Input is not sanitized | ||
| #4880 | Web Accessibility by accessiBe | 72 | 1 | 25 | 10k+ | Input is not sanitized | ||
| #4881 | Archiiv | 72 | 6 | 30 | 400 | Non-prefixed global variable | ||
| #4882 | BB Delete cache | 72 | 3 | 15 | 1k+ | Input is not sanitized | ||
| #4883 | Chap Secure Password Login | 72 | 13 | 7 | 600 | Input is not validated | ||
| #4884 | Contact Form 7 Leads Tracking | 72 | 3 | 23 | 600 | Input is not sanitized | ||
| #4885 | Disclaimify – Affiliate Disclosure / Disclaimer for WordPress | 72 | 2 | 19 | 1k+ | Missing nonce verification | ||
| #4886 | PowerBI Embed Reports | 72 | 3 | 20 | 500 | Nonce verification recommended | ||
| #4887 | EU Order Withdrawal Button for WooCommerce | 72 | 52 | 406 | 4k+ | Non-prefixed hook name | ||
| #4888 | Getsitecontrol — Email Marketing Plugin | Popup Maker, Automations & Newsletters | 72 | 17 | 11 | 1k+ | wp function not compatible with requires wp | ||
| #4889 | Gift Wrapping for WooCommerce | 72 | 2 | 16 | 1k+ | Missing nonce verification | ||
| #4890 | Login Logout Menu | 72 | 7 | 20 | 20k+ | Input is not sanitized | ||
| #4891 | Media File Sizes | 72 | 14 | 5 | 1k+ | Output is not escaped | ||
| #4892 | Minimal Maintenance Mode | 72 | 1 | 20 | 600 | Missing nonce verification | ||
| #4893 | Post Types Unlimited | 72 | 45 | 7 | 10k+ | Missing Translators Comment | ||
| #4894 | Root Relative URLs | 72 | 9 | 10 | 6k+ | Input is not sanitized | ||
| #4895 | Shipping Rate By Cities | 72 | 4 | 21 | 700 | Direct Query | ||
| #4896 | Simple Local Avatars | 72 | 14 | 16 | 100k+ | Non-prefixed constant | ||
| #4897 | Webyx for Gutenberg – Fullpage Fullscreen Scrolling Websites | 72 | 14 | 11 | 700 | Output is not escaped | ||
| #4898 | Customizer for WooCommerce | 72 | 10 | 13 | 800 | Nonce verification recommended | ||
| #4899 | Direct Checkout for WooCommerce | 72 | 77 | 35 | 80k+ | Text Domain Mismatch | ||
| #4900 | Bestfreebie Elementor Icons | 73 | 27 | 13 | 400 | Text Domain Mismatch |