WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5001 | Timeline Express – No Icons Add-On | 73 | 10 | 9 | 700 | Output is not escaped | ||
| #5002 | TOCHAT.BE | 73 | 2 | 71 | 800 | Request data is not unslashed | ||
| #5003 | Under Construction Light | 73 | 13 | 8 | 1k+ | Text Domain Mismatch | ||
| #5004 | Pedido Mínimo para WooCommerce | 73 | 8 | 14 | 1k+ | Nonce verification recommended | ||
| #5005 | WEN Skill Charts | 73 | 23 | 600 | Request data is not unslashed | |||
| #5006 | WPWaterMark 轻水印插件 | 73 | 24 | 17 | 900 | Request data is not unslashed | ||
| #5007 | Zoho SalesIQ – Live chat, chatbots, and visitor tracking | 73 | 11 | 9 | 20k+ | Input is not validated | ||
| #5008 | Admin Columns for ACF Fields | 74 | 7 | 8 | 9k+ | Output is not escaped | ||
| #5009 | BlogLentor – Blog Designer Pack for Elementor | 74 | 743 | 29 | 5k+ | Text Domain Mismatch | ||
| #5010 | Cálculo do frete somente com o CEP – WC Brasil | 74 | 13 | 24 | 1k+ | Non-prefixed function | ||
| #5011 | Signature Field For Contact Form 7 – CF7Sign | 74 | 9 | 12 | 700 | Missing Translators Comment | ||
| #5012 | Clean WP Admin Menu | 74 | 19 | 13 | 600 | Non Singular String Literal Domain | ||
| #5013 | Comment Approved Notifier Extended | 74 | 5 | 10 | 500 | Output is not escaped | ||
| #5014 | Custom Icons for Elementor and WPBakery | 74 | 35 | 38 | 10k+ | Non-prefixed global variable | ||
| #5015 | Disable cart page for WooCommerce | 74 | 2 | 8 | 6k+ | Input is not sanitized | ||
| #5016 | Edit Author Slug | 74 | 5 | 8 | 100k+ | Output is not escaped | ||
| #5017 | ELEX WooCommerce USPS Shipping Method | 74 | 139 | 45 | 900 | Text Domain Mismatch | ||
| #5018 | Contact Form 7 Email Validation | 74 | 8 | 10 | 1k+ | Input is not validated | ||
| #5019 | Free Shipping Label and Progress Bar for WooCommerce | 74 | 60 | 5k+ | Non-prefixed hook name | |||
| #5020 | Gravity Forms Multi Currency | 74 | 6 | 12 | 400 | Output is not escaped | ||
| #5021 | Keon Toolset | 74 | 4 | 28 | 30k+ | Non-prefixed function | ||
| #5022 | Multiple Admin Email Addresses | 74 | 7 | 4 | 1k+ | Missing nonce verification | ||
| #5023 | Multiple Roles | 74 | 8 | 18 | 5k+ | Non-prefixed global variable | ||
| #5024 | Image Gallery | 74 | 8 | 11 | 4k+ | Nonce verification recommended | ||
| #5025 | Plugin Notes Plus | 74 | 2 | 42 | 9k+ | Non-prefixed hook name | ||
| #5026 | Resume Builder | 74 | 20 | 59 | 1k+ | Non-prefixed global variable | ||
| #5027 | Show Pages IDs | 74 | 8 | 8 | 10k+ | Output is not escaped | ||
| #5028 | Email Deliverability – SMTP Replacement, Email API Deliverability & Email Log | 74 | 8 | 23 | 200k+ | Output is not escaped | ||
| #5029 | Widgets in Menu for WordPress | 74 | 16 | 12 | 8k+ | Text Domain Mismatch | ||
| #5030 | WP API SwaggerUI | 74 | 14 | 20 | 2k+ | Missing direct file access protection | ||
| #5031 | Force Login | 74 | 5 | 8 | 30k+ | Output is not escaped | ||
| #5032 | WP-Sweep | 74 | 1 | 201 | 100k+ | Direct Query | ||
| #5033 | WP Term Colors | 74 | 3 | 13 | 700 | Nonce verification recommended | ||
| #5034 | Acumbamail | 75 | 7 | 36 | 1k+ | Non-prefixed global variable | ||
| #5035 | Admin Locale | 75 | 12 | 10 | 6k+ | Missing Arg Domain | ||
| #5036 | Bulk Comments Management | 75 | 6 | 25 | 700 | Direct Query | ||
| #5037 | Custom field finder | 75 | 9 | 3 | 2k+ | Output is not escaped | ||
| #5038 | Custom Adobe Fonts (Typekit) | 75 | 11 | 33 | 60k+ | Non-prefixed global variable | ||
| #5039 | Delay Redirects | 75 | 5 | 8 | 900 | Request data is not unslashed | ||
| #5040 | En Spam | 75 | 21 | 6 | 500 | wp function not compatible with requires wp | ||
| #5041 | Eventin Addons for Divi Builder | 75 | 6 | 17 | 800 | Nonce verification recommended | ||
| #5042 | Force First and Last Name as Display Name | 75 | 5 | 12 | 2k+ | Missing nonce verification | ||
| #5043 | Hide Categories and Products for Woocommerce | 75 | 1 | 20 | 10k+ | Input is not sanitized | ||
| #5044 | Honeypot Anti Spam for Forminator Forms | 75 | 4 | 7 | 1k+ | Missing nonce verification | ||
| #5045 | Invoice Gateway for WooCommerce – Invoice Payment Gateway | 75 | 3 | 30 | 2k+ | Nonce verification recommended | ||
| #5046 | List all URLs | 75 | 8 | 5 | 5k+ | Missing nonce verification | ||
| #5047 | Media Search Enhanced | 75 | 4 | 23 | 4k+ | Non-prefixed hook name | ||
| #5048 | Open Graph Protocol Framework | 75 | 17 | 12 | 3k+ | Missing direct file access protection | ||
| #5049 | Order Delivery Date And Time | 75 | 26 | 28 | 1k+ | Text Domain Mismatch | ||
| #5050 | OXY Re-Login Window | 75 | 5 | 7 | 500 | Missing Version |