WordPress.Security.ValidatedSanitizedInput.InputNotValidatedNotSanitized
Input is not validated or sanitized
Request data is used without both cleanup and an allowability check.
Why It Shows Up
The scan found a request value moving into code without sanitization and without validation.
Why It Matters
This combines two common input-handling failures: the value may contain unsafe content, and the code has not proven that the value is acceptable for the operation.
How to Fix
- Call `wp_unslash()` on request input first.
- Sanitize for the expected type or format.
- Validate against allowed values, ranges, capabilities, and nonces before using the value.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #101 | WP Accessibility Helper (WAH) | 38 | 61 | 88 | 10k+ | missing direct file access protection | |
| #102 | Permalink Manager for WooCommerce | 39 | 116 | 24 | 8k+ | Echo Found | |
| #103 | WP Accessibility | 39 | 199 | 104 | 60k+ | Unsafe Printing Function | |
| #104 | Free Cookie Notice & Consent Banner for Privacy Compliance (GDPR, CCPA, DSGVO and others) | 40 | 39 | 15 | 6k+ | missing direct file access protection | |
| #105 | Social Share Buttons & Analytics Plugin – GetSocial.io | 40 | 97 | 25 | 2k+ | Output Not Escaped | |
| #106 | Controlled Admin Access | 41 | 22 | 40 | 10k+ | Recommended | |
| #107 | OSS Aliyun | 41 | 19 | 40 | 3k+ | Missing Unslash | |
| #108 | Responsive Mortgage Calculator | 42 | 38 | 28 | 7k+ | Output Not Escaped | |
| #109 | WPTerm | 42 | 61 | 89 | 3k+ | Output Not Escaped | |
| #110 | Pluginception | 56 | 7 | 29 | 3k+ | Missing Unslash | |
| #111 | User Switching | 63 | 2 | 47 | 200k+ | Recommended | |
| #112 | Robots.txt Editor | 72 | 10 | 7 | 10k+ | Input Not Validated Not Sanitized | |
| #113 | WP Fail2Ban Redux | 82 | 1 | 10 | 7k+ | trademarked term | |
| #114 | LH Force Lowercase URLs | 90 | 4 | 3 | 2k+ | Input Not Validated Not Sanitized |
