PluginScore

WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized

Input is not validated or sanitized

Request data is used without both cleanup and an allowability check.

critical weight

Why It Shows Up

The scan found a request value moving into code without sanitization and without validation.

Why It Matters

This combines two common input-handling failures: the value may contain unsafe content, and the code has not proven that the value is acceptable for the operation.

How to Fix

  • Call `wp_unslash()` on request input first.
  • Sanitize for the expected type or format.
  • Validate against allowed values, ranges, capabilities, and nonces before using the value.

References

WordPress validating, sanitizing, and escapingWordPress nonces

Affected Plugins

RankPluginScoreErrorsWarningsInstallsUpdatedTop Issue
#1Podlove Podcast Publisher182,3261,4293k+Output Not Escaped
#2WP Directory Kit182,1192,6172k+Non Prefixed Variable Found
#3Download Monitor194251,36480k+Non Prefixed Hookname Found
#4Realtyna Organic IDX plugin + WPL Real Estate199473,6532k+Non Prefixed Variable Found
#5Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)195413853m+Missing Translators Comment
#6Brevo – Email, SMS, Web Push, Chat, and more.20460646100k+Missing Unslash
#7Captcha Them All213003236k+Output Not Escaped
#8Smart Grid-Layout Design for Contact Form 7211,12673410k+Output Not Escaped
#9Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More212,5721,2771m+Output Not Escaped
#10Feeds for YouTube (YouTube video, channel, and gallery plugin)21558978100k+Output Not Escaped
#11If-So Dynamic Content – Elementor & All Page Builders Personalization218897257k+Unsafe Printing Function
#12MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder211,1333,0112k+Non Prefixed Variable Found
#13Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages211,1732,9839k+Non Prefixed Variable Found
#14Better WordPress Minify224124848k+Non Singular String Literal Domain
#15Code Profiler – WordPress Performance Profiling and Debugging Made Easy222654008k+Non Prefixed Variable Found
#16Download Manager222,2901,301100k+Output Not Escaped
#17Events Manager – Calendar, Bookings, Tickets, and more!224,7225,62170k+Output Not Escaped
#18Motors – Car Dealership & Classified Listings Plugin225,3405,9589k+Text Domain Mismatch
#19NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall221,2652,065100k+Non Prefixed Variable Found
#20NinjaScanner – Virus & Malware scan2259655130k+Non Prefixed Variable Found
#21Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App221,5812,326300k+Non Prefixed Variable Found
#22WCFM Membership – WooCommerce Memberships for Multivendor Marketplace2255967510k+Non Prefixed Variable Found
#23WP Super Minify • Minify, Compress and Cache HTML, CSS & JavaScript221642579k+Non Prefixed Constant Found
#24WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell225,9962,7905k+Text Domain Mismatch
#25Admin and Site Enhancements (ASE)23136330200k+Recommended
#26Kadence Security – Password, Two Factor Authentication, and Brute Force Protection231,053967700k+Missing Translators Comment
#27Easy Digital Downloads – eCommerce Payments and Subscriptions made easy233,72310,28340k+Non Prefixed Namespace Found
#28The GDPR Framework By Data443231,28751710k+Echo Found
#29MasterStudy LMS WordPress Plugin – for Online Courses and Education231,4194,87510k+Non Prefixed Variable Found
#30PowerPress Podcasting plugin by Blubrry234,8072,39420k+Output Not Escaped
#31Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More23135659100k+Non Prefixed Variable Found
#32Schema231,17324540k+Text Domain Mismatch
#33Simple URLs – Link Cloaking, Product Displays, and Affiliate Link Management232952984k+Non Prefixed Variable Found
#34WP Compress – Instant Performance & Speed Optimization233,0532,38410k+Non Singular String Literal Domain
#35A2 Optimized WP – Turbocharge and secure your WordPress site2427123160k+Missing Arg Domain
#36Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News246991,69330k+Non Prefixed Variable Found
#37WOLF – WordPress Posts Bulk Editor and Manager Professional244856234k+Output Not Escaped
#38Business Essentials for Contact Form 7246744038k+Text Domain Mismatch
#39CM Pop-Up – Create engaging popups to capture attention and boost interaction244664089k+Output Not Escaped
#40Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN243,41086670k+Text Domain Mismatch
#41Event Booking Manager for WooCommerce249561,9647k+Non Prefixed Variable Found
#42Database Manager – WP Adminer241,0052,75220k+Non Prefixed Variable Found
#43PixelYourSite – Your smart PIXEL (TAG) & API Manager241,1602,407500k+Non Prefixed Namespace Found
#44Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post Slider245991,53210k+Non Prefixed Variable Found
#45Shortcodes Ultimate – Content Elements246561,552400k+Non Prefixed Variable Found
#46ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization2492632210k+Output Not Escaped
#47Ultra Addons for Contact Form 7241,53846060k+Text Domain Mismatch
#48Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin249382,935200k+Non Prefixed Variable Found
#49Video Conferencing with Zoom241,10544010k+Unsafe Printing Function
#50CSS & JavaScript Toolbox2515561710k+Non Prefixed Class Found