WordPress.Security.ValidatedSanitizedInput.InputNotSanitized

Input is not sanitized

Request data is used without being cleaned for the expected type or format.

critical weight

Why It Shows Up

The scan found superglobal input flowing into code without a sanitizer such as `sanitize_text_field()`, `absint()`, `sanitize_key()`, `esc_url_raw()`, or a custom allowlist.

Why It Matters

Unsanitized input can pollute stored settings, alter logic, break queries, or become part of a later security issue.

How to Fix

Unslash request data with `wp_unslash()` first.
Choose the sanitizer for the expected value, such as `absint()` for IDs or `sanitize_key()` for keys.
Use allowlists for actions, sort fields, file names, option names, and other constrained values.

References

WordPress validating, sanitizing, and escaping

Affected Plugins

Rank	Plugin	Score	Errors	Warnings	Installs	Updated	Top Issue
#1	BulletProof Security	0	5,048	4,949	20k+	1 month ago	Output is not escaped
#2	Intercom	0	60	71	6k+	1 year ago	Non-prefixed function
#3	Plugin Check (PCP)	0	128	132	10k+	24 days ago	Exception output is not escaped
#4	Themify Builder	9	5,195	2,096	5k+	6 days ago	Text Domain Mismatch
#5	JetBackup – Backup, Restore & Migrate	10	1,559	145	100k+	2 months ago	Exception output is not escaped
#6	Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more	15	32	163	500k+	3 months ago	Direct Query
#7	Visual Composer Website Builder	16	82	320	40k+	11 months ago	Non-prefixed global variable
#8	AnyComment	17	445	449	5k+	4 years ago	Output is not escaped
#9	JetFormBuilder — Dynamic Blocks Form Builder	17	2,094	1,588	90k+	today	Text Domain Mismatch
#10	wpForo Forum	17	4,033	2,922	20k+	22 days ago	Unsafe printing function
#11	WPtouch – Make your WordPress Website Mobile-Friendly	17	1,466	325	50k+	7 months ago	Text Domain Mismatch
#12	Prime Slider Addons for Elementor	18	3,500	230	100k+	7 days ago	Text Domain Mismatch
#13	Podlove Podcast Publisher	18	2,326	1,429	3k+	18 days ago	Output is not escaped
#14	Property Hive	18	1,957	6,027	3k+	4 days ago	Missing nonce verification
#15	Shopping Cart & eCommerce Store	18	5,459	17,298	4k+	10 days ago	Non-prefixed global variable
#16	WP Import Export Lite	18	738	979	40k+	11 months ago	Non-prefixed global variable
#17	WP Directory Kit	18	2,119	2,617	2k+	2 months ago	Non-prefixed global variable
#18	Element Pack – Widgets, Templates & Addons for Elementor	19	9,448	517	100k+	6 days ago	Text Domain Mismatch
#19	Download Monitor	19	425	1,364	80k+	6 days ago	Non-prefixed hook name
#20	Event Organiser	19	1,106	544	20k+	2 years ago	Text Domain Mismatch
#21	Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution	19	1,218	901	100k+	13 days ago	Exception output is not escaped
#22	Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps)	19	3,275	3,228	10k+	7 months ago	Output is not escaped
#23	Matomo Analytics – Powerful, Privacy-First Insights for WordPress	19	1,909	878	100k+	6 days ago	Exception output is not escaped
#24	Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization	19	1,295	2,679	9k+	7 days ago	Output is not escaped
#25	Razorpay Payment Button Plugin	19	486	98	2k+	1 year ago	Exception output is not escaped
#26	Realtyna Organic IDX plugin + WPL Real Estate	19	947	3,653	2k+	1 month ago	Non-prefixed global variable
#27	Really Simple Security – Simple and Performant Security (formerly Really Simple SSL)	19	541	385	3m+	5 days ago	Missing Translators Comment
#28	Membership Plugin – Kadence Memberships	19	5,082	2,982	9k+	27 days ago	Text Domain Mismatch
#29	Scrollsequence – Cinematic Scroll Image Animation Plugin	19	878	1,528	4k+	15 days ago	Non-prefixed global variable
#30	SendPress Newsletters	19	2,293	1,422	2k+	5 months ago	Output is not escaped
#31	SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments	19	526	1,119	90k+	6 days ago	Non-prefixed global variable
#32	WP Email Template	19	342	350	2k+	2 months ago	Exception output is not escaped
#33	BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot	20	508	1,406	30k+	4 days ago	Non-prefixed global variable
#34	Brizy – Page Builder	20	589	720	70k+	13 days ago	Output is not escaped
#35	DMCA Protection Badge	20	4,425	217	1k+	10 months ago	Output is not escaped
#36	Filter Everything — WordPress & WooCommerce Filters	20	568	730	50k+	today	Output is not escaped
#37	GiveWP – Donation Plugin and Fundraising Platform	20	3,435	3,580	100k+	today	Output is not escaped
#38	Link Library	20	1,941	1,397	10k+	2 months ago	Unsafe printing function
#39	MBE eShip	20	527	740	1k+	5 days ago	Non-prefixed global variable
#40	Brevo – Email, SMS, Web Push, Chat, and more.	20	460	646	100k+	2 months ago	Request data is not unslashed
#41	MAS Videos	20	519	1,693	1k+	4 months ago	Non-prefixed global variable
#42	Microthemer Lite – Visual Editor to Customize CSS	20	1,004	1,699	10k+	2 months ago	Non-prefixed global variable
#43	Nimble Page Builder	20	1,591	1,684	30k+	1 year ago	Missing Arg Domain
#44	Pix por Piggly (para Woocommerce)	20	547	195	4k+	2 years ago	Exception output is not escaped
#45	Powered Cache – Caching and Optimization for WordPress – Easily Improve PageSpeed & Web Vitals Score	20	147	231	3k+	2 months ago	Exception output is not escaped
#46	Quill Forms \| Conversational Multi Step Forms, Surveys & quizzes	20	401	368	3k+	4 months ago	Text Domain Mismatch
#47	Remove Add to Cart WooCommerce	20	616	1,378	4k+	8 months ago	Non-prefixed global variable
#48	Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF	20	557	541	100k+	1 month ago	Output is not escaped
#49	SpeakOut! Email Petitions	20	850	994	3k+	4 months ago	Missing nonce verification
#50	Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts	20	866	338	1k+	5 months ago	wp function not compatible with requires wp