WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

  • Unslash request data with `wp_unslash()` first.
  • Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
  • Use allowlists for actions, sort fields, file names, option names, and other constrained values.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#4901Direct Checkout for WooCommerce72773580k+Text Domain Mismatch
#4902Bestfreebie Elementor Icons732713400Text Domain Mismatch
#4903Block Plugin Update739106k+Missing direct file access protection
#4904BuddyPress Activity Shortcode739142k+Non-prefixed hook name
#4905Clone Woo Orders – Free by WP Masters73138900Output is not escaped
#4906Conditionally display featured image on singular posts and pages7317630k+Output is not escaped
#4907Connect Polylang for Elementor73121100k+Nonce verification recommended
#4908Contact Form to Brevo7367111k+Text Domain Mismatch
#4909Contact Form7: Autocomplete73278500Text Domain Mismatch
#4910Continue Shopping for WooCommerce739205k+Input is not sanitized
#4911Custom Datepicker NMR734121k+Missing Version
#4912Dash Notifier7312620k+Heredoc Output Not Escaped
#4913Email Test – Check if your emails are being delivered73871k+Exception output is not escaped
#4914Emergency password reset735614800wp function not compatible with requires wp
#4915EU Withdrawal Button for WooCommerce7327400Missing nonce verification
#4916EXMAGE – WordPress Image Links7314347k+Missing Arg Domain
#4917Export Media Library735530k+Output is not escaped
#4918Force Password Change73410400Missing nonce verification
#4919Freetobook Responsive Widget73514500Input is not sanitized
#4920Hide WP Toolbar734131k+trademarked term
#4921International Phone Number Format735120400Text Domain Mismatch
#4922Meta Description7359400Input is not validated
#4923Multifile Upload Field for Contact Form 7734175k+Text Domain Mismatch
#4924NETOPIA Payments Payment Gateway7333110k+Missing nonce verification
#4925Weight zone shipping for WooCommerce7325131k+Missing Translators Comment
#4926Osom Modal Login734012400Text Domain Mismatch
#4927Permalinks Moved Permanently7377700Database parameter is not escaped
#4928Plugin Groups7316121k+Non Singular String Literal Domain
#4929POKY – Product Importer73612700Input is not validated
#4930Product Bundles – Bulk Discounts73317600Text Domain Mismatch
#4931Restaurant Food Menu by WP Darko – Drag & Drop Restaurant Menu Builder for WordPress73168400Non-prefixed global variable
#4932Server-Side Cache AutoPurge73161710k+Text Domain Mismatch
#4933Timeline Express – No Icons Add-On73109700Output is not escaped
#4934Pedido Mínimo para WooCommerce738141k+Nonce verification recommended
#4935WEN Skill Charts7323600Request data is not unslashed
#4936Admin Columns for ACF Fields74789k+Output is not escaped
#4937BlogLentor – Blog Designer Pack for Elementor74743295k+Text Domain Mismatch
#4938Cálculo do frete somente com o CEP – WC Brasil7413241k+Non-prefixed function
#4939Signature Field For Contact Form 7 – CF7Sign74912700Missing Translators Comment
#4940Clean WP Admin Menu741913600Non Singular String Literal Domain
#4941Comment Approved Notifier Extended74510500Output is not escaped
#4942Disable cart page for WooCommerce74286k+Input is not sanitized
#4943Edit Author Slug7458100k+Output is not escaped
#4944EmailKit – Email Customizer for WooCommerce & WP74178270k+slow db query meta query
#4945Gravity Forms Multi Currency74612400Output is not escaped
#4946RD Station746520k+Non-prefixed global variable
#4947Keon Toolset7442830k+Non-prefixed function
#4948Multiple Admin Email Addresses74741k+Missing nonce verification
#4949Multiple Roles748185k+Non-prefixed global variable
#4950Image Gallery748114k+Nonce verification recommended