WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #4951 | Web Accessibility by accessiBe | 72 | 1 | 25 | 10k+ | Input is not sanitized | ||
| #4952 | Archiiv | 72 | 6 | 30 | 400 | Non-prefixed global variable | ||
| #4953 | BB Delete cache | 72 | 3 | 15 | 1k+ | Input is not sanitized | ||
| #4954 | Block Archive.org via WordPress robots.txt | 72 | 9 | 8 | 400 | Output is not escaped | ||
| #4955 | Contact Form 7 Leads Tracking | 72 | 3 | 23 | 600 | Input is not sanitized | ||
| #4956 | Disclaimify – Affiliate Disclosure / Disclaimer for WordPress | 72 | 2 | 19 | 1k+ | Missing nonce verification | ||
| #4957 | Gift Wrapping for WooCommerce | 72 | 2 | 16 | 1k+ | Missing nonce verification | ||
| #4958 | Keyword Research Tool | 72 | 9 | 11 | 700 | Input is not validated | ||
| #4959 | Login Logout Menu | 72 | 7 | 20 | 20k+ | Input is not sanitized | ||
| #4960 | Media File Sizes | 72 | 14 | 5 | 1k+ | Output is not escaped | ||
| #4961 | Media Library Organizer – Folders, File Manager & Media Categories | 72 | 20 | 130 | 20k+ | Non-prefixed global variable | ||
| #4962 | Minimal Maintenance Mode | 72 | 1 | 20 | 600 | Missing nonce verification | ||
| #4963 | Post Types Unlimited | 72 | 45 | 7 | 10k+ | Missing Translators Comment | ||
| #4964 | Responsive Blocks – Page Builder for Blocks & Patterns | 72 | 47 | 43 | 3k+ | badly named files | ||
| #4965 | Advanced Datepicker – Restricts Date for Contact Form 7 | 72 | 228 | 11 | 400 | wp function not compatible with requires wp | ||
| #4966 | Root Relative URLs | 72 | 9 | 10 | 6k+ | Input is not sanitized | ||
| #4967 | Place Order Without Payment for WooCommerce | 72 | 244 | 62 | 3k+ | Text Domain Mismatch | ||
| #4968 | Product Subtitle For WooCommerce | 72 | 6 | 36 | 3k+ | Non-prefixed namespace | ||
| #4969 | Webyx for Gutenberg – Fullpage Fullscreen Scrolling Websites | 72 | 14 | 11 | 700 | Output is not escaped | ||
| #4970 | Bestfreebie Elementor Icons | 73 | 27 | 13 | 400 | Text Domain Mismatch | ||
| #4971 | Block Plugin Update | 73 | 9 | 10 | 6k+ | Missing direct file access protection | ||
| #4972 | BuddyPress Activity Shortcode | 73 | 9 | 14 | 2k+ | Non-prefixed hook name | ||
| #4973 | Clone Woo Orders – Free by WP Masters | 73 | 13 | 8 | 900 | Output is not escaped | ||
| #4974 | Conditionally display featured image on singular posts and pages | 73 | 17 | 6 | 30k+ | Output is not escaped | ||
| #4975 | Connect Polylang for Elementor | 73 | 1 | 21 | 100k+ | Nonce verification recommended | ||
| #4976 | Contact Form to Brevo | 73 | 67 | 11 | 1k+ | Text Domain Mismatch | ||
| #4977 | Contact Form7: Autocomplete | 73 | 27 | 8 | 500 | Text Domain Mismatch | ||
| #4978 | Continue Shopping for WooCommerce | 73 | 9 | 20 | 5k+ | Input is not sanitized | ||
| #4979 | Custom Datepicker NMR | 73 | 4 | 12 | 1k+ | Missing Version | ||
| #4980 | Dash Notifier | 73 | 12 | 6 | 20k+ | Heredoc Output Not Escaped | ||
| #4981 | Email Test – Check if your emails are being delivered | 73 | 8 | 7 | 1k+ | Exception output is not escaped | ||
| #4982 | Emergency password reset | 73 | 56 | 14 | 800 | wp function not compatible with requires wp | ||
| #4983 | EU Withdrawal Button for WooCommerce | 73 | 27 | 400 | Missing nonce verification | |||
| #4984 | EXMAGE – WordPress Image Links | 73 | 14 | 34 | 7k+ | Missing Arg Domain | ||
| #4985 | Export Media Library | 73 | 5 | 5 | 30k+ | Output is not escaped | ||
| #4986 | Force Password Change | 73 | 4 | 10 | 400 | Missing nonce verification | ||
| #4987 | Freetobook Responsive Widget | 73 | 5 | 14 | 500 | Input is not sanitized | ||
| #4988 | Hide WP Toolbar | 73 | 4 | 13 | 1k+ | trademarked term | ||
| #4989 | International Phone Number Format | 73 | 51 | 20 | 400 | Text Domain Mismatch | ||
| #4990 | Meta Description | 73 | 5 | 9 | 400 | Input is not validated | ||
| #4991 | NETOPIA Payments Payment Gateway | 73 | 3 | 31 | 10k+ | Missing nonce verification | ||
| #4992 | Weight zone shipping for WooCommerce | 73 | 25 | 13 | 1k+ | Missing Translators Comment | ||
| #4993 | Osom Modal Login | 73 | 40 | 12 | 400 | Text Domain Mismatch | ||
| #4994 | Permalinks Moved Permanently | 73 | 7 | 7 | 700 | Database parameter is not escaped | ||
| #4995 | Plugin Groups | 73 | 16 | 12 | 1k+ | Non Singular String Literal Domain | ||
| #4996 | POKY – Product Importer | 73 | 6 | 12 | 700 | Input is not validated | ||
| #4997 | Product Bundles – Bulk Discounts | 73 | 31 | 7 | 600 | Text Domain Mismatch | ||
| #4998 | Restaurant Food Menu by WP Darko – Drag & Drop Restaurant Menu Builder for WordPress | 73 | 1 | 68 | 400 | Non-prefixed global variable | ||
| #4999 | Server-Side Cache AutoPurge | 73 | 16 | 17 | 10k+ | Text Domain Mismatch | ||
| #5000 | Timeline Express – No Icons Add-On | 73 | 10 | 9 | 700 | Output is not escaped |