WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
Input is not sanitized
Request data is used without being cleaned for the expected type or format.
Why It Shows Up
The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.
Why It Matters
Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.
How to Fix
- Unslash request data with `wp_unslash()` first.
- Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
- Use allowlists for actions, sort fields, file names, option names, and other constrained values.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4901 | Direct Checkout for WooCommerce | 72 | 77 | 35 | 80k+ | Text Domain Mismatch | ||
| #4902 | Bestfreebie Elementor Icons | 73 | 27 | 13 | 400 | Text Domain Mismatch | ||
| #4903 | Block Plugin Update | 73 | 9 | 10 | 6k+ | Missing direct file access protection | ||
| #4904 | BuddyPress Activity Shortcode | 73 | 9 | 14 | 2k+ | Non-prefixed hook name | ||
| #4905 | Clone Woo Orders – Free by WP Masters | 73 | 13 | 8 | 900 | Output is not escaped | ||
| #4906 | Conditionally display featured image on singular posts and pages | 73 | 17 | 6 | 30k+ | Output is not escaped | ||
| #4907 | Connect Polylang for Elementor | 73 | 1 | 21 | 100k+ | Nonce verification recommended | ||
| #4908 | Contact Form to Brevo | 73 | 67 | 11 | 1k+ | Text Domain Mismatch | ||
| #4909 | Contact Form7: Autocomplete | 73 | 27 | 8 | 500 | Text Domain Mismatch | ||
| #4910 | Continue Shopping for WooCommerce | 73 | 9 | 20 | 5k+ | Input is not sanitized | ||
| #4911 | Custom Datepicker NMR | 73 | 4 | 12 | 1k+ | Missing Version | ||
| #4912 | Dash Notifier | 73 | 12 | 6 | 20k+ | Heredoc Output Not Escaped | ||
| #4913 | Email Test – Check if your emails are being delivered | 73 | 8 | 7 | 1k+ | Exception output is not escaped | ||
| #4914 | Emergency password reset | 73 | 56 | 14 | 800 | wp function not compatible with requires wp | ||
| #4915 | EU Withdrawal Button for WooCommerce | 73 | 27 | 400 | Missing nonce verification | |||
| #4916 | EXMAGE – WordPress Image Links | 73 | 14 | 34 | 7k+ | Missing Arg Domain | ||
| #4917 | Export Media Library | 73 | 5 | 5 | 30k+ | Output is not escaped | ||
| #4918 | Force Password Change | 73 | 4 | 10 | 400 | Missing nonce verification | ||
| #4919 | Freetobook Responsive Widget | 73 | 5 | 14 | 500 | Input is not sanitized | ||
| #4920 | Hide WP Toolbar | 73 | 4 | 13 | 1k+ | trademarked term | ||
| #4921 | International Phone Number Format | 73 | 51 | 20 | 400 | Text Domain Mismatch | ||
| #4922 | Meta Description | 73 | 5 | 9 | 400 | Input is not validated | ||
| #4923 | Multifile Upload Field for Contact Form 7 | 73 | 41 | 7 | 5k+ | Text Domain Mismatch | ||
| #4924 | NETOPIA Payments Payment Gateway | 73 | 3 | 31 | 10k+ | Missing nonce verification | ||
| #4925 | Weight zone shipping for WooCommerce | 73 | 25 | 13 | 1k+ | Missing Translators Comment | ||
| #4926 | Osom Modal Login | 73 | 40 | 12 | 400 | Text Domain Mismatch | ||
| #4927 | Permalinks Moved Permanently | 73 | 7 | 7 | 700 | Database parameter is not escaped | ||
| #4928 | Plugin Groups | 73 | 16 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #4929 | POKY – Product Importer | 73 | 6 | 12 | 700 | Input is not validated | ||
| #4930 | Product Bundles – Bulk Discounts | 73 | 31 | 7 | 600 | Text Domain Mismatch | ||
| #4931 | Restaurant Food Menu by WP Darko – Drag & Drop Restaurant Menu Builder for WordPress | 73 | 1 | 68 | 400 | Non-prefixed global variable | ||
| #4932 | Server-Side Cache AutoPurge | 73 | 16 | 17 | 10k+ | Text Domain Mismatch | ||
| #4933 | Timeline Express – No Icons Add-On | 73 | 10 | 9 | 700 | Output is not escaped | ||
| #4934 | Pedido Mínimo para WooCommerce | 73 | 8 | 14 | 1k+ | Nonce verification recommended | ||
| #4935 | WEN Skill Charts | 73 | 23 | 600 | Request data is not unslashed | |||
| #4936 | Admin Columns for ACF Fields | 74 | 7 | 8 | 9k+ | Output is not escaped | ||
| #4937 | BlogLentor – Blog Designer Pack for Elementor | 74 | 743 | 29 | 5k+ | Text Domain Mismatch | ||
| #4938 | Cálculo do frete somente com o CEP – WC Brasil | 74 | 13 | 24 | 1k+ | Non-prefixed function | ||
| #4939 | Signature Field For Contact Form 7 – CF7Sign | 74 | 9 | 12 | 700 | Missing Translators Comment | ||
| #4940 | Clean WP Admin Menu | 74 | 19 | 13 | 600 | Non Singular String Literal Domain | ||
| #4941 | Comment Approved Notifier Extended | 74 | 5 | 10 | 500 | Output is not escaped | ||
| #4942 | Disable cart page for WooCommerce | 74 | 2 | 8 | 6k+ | Input is not sanitized | ||
| #4943 | Edit Author Slug | 74 | 5 | 8 | 100k+ | Output is not escaped | ||
| #4944 | EmailKit – Email Customizer for WooCommerce & WP | 74 | 17 | 82 | 70k+ | slow db query meta query | ||
| #4945 | Gravity Forms Multi Currency | 74 | 6 | 12 | 400 | Output is not escaped | ||
| #4946 | RD Station | 74 | 65 | 20k+ | Non-prefixed global variable | |||
| #4947 | Keon Toolset | 74 | 4 | 28 | 30k+ | Non-prefixed function | ||
| #4948 | Multiple Admin Email Addresses | 74 | 7 | 4 | 1k+ | Missing nonce verification | ||
| #4949 | Multiple Roles | 74 | 8 | 18 | 5k+ | Non-prefixed global variable | ||
| #4950 | Image Gallery | 74 | 8 | 11 | 4k+ | Nonce verification recommended |