Inputs need to be validated/sanitized before making any execution flow decision based on it. Actually a +100 to the reviewer that caught it (or whoever wrote the automated tool) as I would have missed it.
Sanitization is something that needs context. Just because function A does a sanitization in the context of storing an displaying text input , doesn’t make it appropriate to be used in execution flow context.
In your specific case an “hostile” can trigger any hook that starts with ‘mh_’ by sending a specialy crafted value in the mh_action field. What you need to verify before triggering any action is that the value is one of those you expect to get from your form.
If (in_array($_POST['mh_action'], array('string',int','array'....)
do_action('mn_'.$_POST['mh_action'],$_POST);
Not sure if it will be enough for the review team, but it will be a (more) secure code.