WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | 2026-05-20 | Output Not Escaped |
| #2 | Plugin Check (PCP) | 0 | 128 | 132 | 10k+ | 2026-05-29 | Exception Not Escaped |
| #3 | JetBackup – Backup, Restore & Migrate | 10 | 1,559 | 145 | 100k+ | 2026-05-03 | Exception Not Escaped |
| #4 | Easy WP SMTP – WordPress SMTP and Email Logs: Gmail, Office 365, Outlook, Custom SMTP, and more | 15 | 32 | 163 | 500k+ | 2026-04-01 | Direct Query |
| #5 | Visual Composer Website Builder | 16 | 82 | 320 | 40k+ | 2025-08-06 | Non Prefixed Variable Found |
| #6 | JetFormBuilder — Dynamic Blocks Form Builder | 17 | 2,094 | 1,588 | 90k+ | 2026-06-17 | Text Domain Mismatch |
| #7 | wpForo Forum | 17 | 4,033 | 2,922 | 20k+ | 2026-05-31 | Unsafe Printing Function |
| #8 | WPtouch – Make your WordPress Website Mobile-Friendly | 17 | 1,466 | 325 | 50k+ | 2025-12-04 | Text Domain Mismatch |
| #9 | Prime Slider Addons for Elementor | 18 | 3,500 | 230 | 100k+ | 2026-06-15 | Text Domain Mismatch |
| #10 | WP Import Export Lite | 18 | 738 | 979 | 40k+ | 2025-08-04 | Non Prefixed Variable Found |
| #11 | Element Pack – Widgets, Templates & Addons for Elementor | 19 | 9,448 | 517 | 100k+ | 2026-06-16 | Text Domain Mismatch |
| #12 | Download Monitor | 19 | 425 | 1,364 | 80k+ | 2026-06-16 | Non Prefixed Hookname Found |
| #13 | Event Organiser | 19 | 1,106 | 544 | 20k+ | 2024-10-10 | Text Domain Mismatch |
| #14 | Advanced File Manager – Ultimate File Manager for WordPress And Document Library Solution | 19 | 1,218 | 901 | 100k+ | 2026-06-09 | Exception Not Escaped |
| #15 | Leaflet Maps Marker (Google Maps, OpenStreetMap, Bing Maps) | 19 | 3,275 | 3,228 | 10k+ | 2025-12-05 | Output Not Escaped |
| #16 | Matomo Analytics – Powerful, Privacy-First Insights for WordPress | 19 | 1,909 | 878 | 100k+ | 2026-06-16 | Exception Not Escaped |
| #17 | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | 19 | 1,295 | 2,679 | 9k+ | 2026-06-15 | Output Not Escaped |
| #18 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | 2026-06-17 | Missing Translators Comment |
| #19 | Membership Plugin – Kadence Memberships | 19 | 5,082 | 2,982 | 9k+ | 2026-05-26 | Text Domain Mismatch |
| #20 | SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments | 19 | 526 | 1,119 | 90k+ | 2026-06-16 | Non Prefixed Variable Found |
| #21 | BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot | 20 | 508 | 1,406 | 30k+ | 2026-06-18 | Non Prefixed Variable Found |
| #22 | Brizy – Page Builder | 20 | 589 | 720 | 70k+ | 2026-06-09 | Output Not Escaped |
| #23 | Filter Everything — WordPress & WooCommerce Filters | 20 | 568 | 730 | 50k+ | 2026-06-18 | Output Not Escaped |
| #24 | GiveWP – Donation Plugin and Fundraising Platform | 20 | 3,435 | 3,580 | 100k+ | 2026-06-15 | Output Not Escaped |
| #25 | Link Library | 20 | 1,941 | 1,397 | 10k+ | 2026-04-26 | Unsafe Printing Function |
| #26 | Brevo – Email, SMS, Web Push, Chat, and more. | 20 | 460 | 646 | 100k+ | 2026-04-10 | Missing Unslash |
| #27 | Microthemer Lite – Visual Editor to Customize CSS | 20 | 1,004 | 1,699 | 10k+ | 2026-04-15 | Non Prefixed Variable Found |
| #28 | Nimble Page Builder | 20 | 1,591 | 1,684 | 30k+ | 2025-03-24 | Missing Arg Domain |
| #29 | Robin Image Optimizer – Unlimited Image Optimization, WebP & AVIF | 20 | 557 | 541 | 100k+ | 2026-05-19 | Output Not Escaped |
| #30 | Razorpay for WooCommerce | 20 | 974 | 855 | 100k+ | 2026-06-19 | Non Prefixed Function Found |
| #31 | Store Locator WordPress | 21 | 2,372 | 1,572 | 10k+ | 2026-06-03 | Text Domain Mismatch |
| #32 | Backup Migration | 21 | 981 | 1,093 | 80k+ | 2026-06-05 | Non Prefixed Variable Found |
| #33 | bbPress | 21 | 929 | 3,672 | 100k+ | 2025-07-02 | Non Prefixed Function Found |
| #34 | CartFlows – Funnel Builder & Checkout Plugin for WooCommerce | 21 | 461 | 614 | 200k+ | 2026-06-02 | Text Domain Mismatch |
| #35 | Smart Grid-Layout Design for Contact Form 7 | 21 | 1,126 | 734 | 10k+ | 2026-05-08 | Output Not Escaped |
| #36 | Comet Cache | 21 | 857 | 245 | 20k+ | 2025-07-02 | Output Not Escaped |
| #37 | Cost Calculator Builder | 21 | 322 | 765 | 30k+ | 2026-06-19 | Non Prefixed Variable Found |
| #38 | Duplicator – Backups & Migration Plugin – Cloud Backups, Scheduled Backups, & More | 21 | 2,572 | 1,277 | 1m+ | 2026-05-22 | Output Not Escaped |
| #39 | Envo Extra | 21 | 878 | 600 | 20k+ | 2026-05-27 | Text Domain Mismatch |
| #40 | eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams | 21 | 186 | 437 | 9k+ | 2026-04-13 | Non Prefixed Variable Found |
| #41 | Feeds for YouTube (YouTube video, channel, and gallery plugin) | 21 | 558 | 978 | 100k+ | 2026-06-10 | Output Not Escaped |
| #42 | FileOrganizer – WordPress File Manager | 21 | 536 | 241 | 200k+ | 2026-06-10 | unlink unlink |
| #43 | Formidable Forms – WordPress Form Builder for Contact Forms, Calculators, Quizzes & More | 21 | 52 | 1,959 | 300k+ | 2026-06-16 | Non Prefixed Variable Found |
| #44 | Imagify: Optimize Images for Top Speed (Compress & Convert to WebP/AVIF) | 21 | 418 | 851 | 1m+ | 2026-06-01 | Non Prefixed Variable Found |
| #45 | LA-Studio Element Kit for Elementor | 21 | 8,390 | 1,964 | 10k+ | 2026-06-16 | Text Domain Mismatch |
| #46 | Modular DS: Monitor, update, and backup multiple websites | 21 | 161 | 81 | 40k+ | 2026-05-22 | Exception Not Escaped |
| #47 | MotoPress Hotel Booking | 21 | 3,061 | 1,037 | 10k+ | 2026-06-15 | Text Domain Mismatch |
| #48 | Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred | 21 | 1,469 | 3,333 | 10k+ | 2026-06-18 | Non Prefixed Variable Found |
| #49 | Packeta | 21 | 802 | 333 | 8k+ | 2025-11-07 | Exception Not Escaped |
| #50 | Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages | 21 | 1,173 | 2,983 | 9k+ | 2026-06-02 | Non Prefixed Variable Found |
