WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5051OXY Re-Login Window7557500Missing Version
#5052PopupAlly7540102k+Missing direct file access protection
#5053Post Type Switcher75318200k+Direct Query
#5054Rapyd Payment Extension for WooCommerce755033400Text Domain Mismatch
#5055reCAPTCHA for bbPress751419800Non-prefixed function
#5056Registration Form for WooCommerce75542900Non-prefixed global variable
#5057Services Section Block – Showcase Service Details in Grid or Columns759192k+Non-prefixed namespace
#5058Matterport Shortcode7521303k+Text Domain Mismatch
#5059Simple SMTP by Maileroo75408700Text Domain Mismatch
#5060Styled Calendar – Customizable, Mobile Responsive Google Calendar Embeds75881k+Exception output is not escaped
#5061Temporary Login7532540k+Nonce verification recommended
#5062Custom Product Tabs Lite for WooCommerce753114k+Input is not validated
#5063Extra Product Sorting Options for WooCommerce75101610k+Text Domain Mismatch
#5064WP Hide Dashboard756102k+trademarked term
#5065WP-HTML-Compression757221k+Input is not sanitized
#5066YITH Slider for page builders7513221k+Nonce verification recommended
#5067Aruba Fatturazione Elettronica7634700Missing nonce verification
#5068PiWeb Cancel order / Refund request for WooCommerce7640492k+wp function not compatible with requires wp
#5069Change Mail Sender76971920k+Text Domain Mismatch
#5070Form to Chat App ⚡️764132k+Nonce verification recommended
#5071Input Masks for Contact Form 77614312800wp function not compatible with requires wp
#5072Payment Gateway for Authorize.net for WooCommerce76616700Input is not sanitized
#5073PDF Flipbook Heyzine763461k+Non-prefixed global variable
#5074Preload Images76861k+Output is not escaped
#5075Rearrange Products for WooCommerce7612220k+Input is not sanitized
#5076Search Regex76625100k+Direct Query
#5077Siteready Coming Soon Under Construction766303k+Non-prefixed global variable
#5078Smartideo76831k+Output is not escaped
#5079Store file uploads for Contact Form 776561k+Output is not escaped
#5080Category Order and Taxonomy Terms Order763510500k+wp function not compatible with requires wp
#5081Telephone Input For Contact Form 7761810600Text Domain Mismatch
#5082Contact Form 7 Text CAPTCHA7614341k+Non-prefixed global variable
#5083The Future Is Now763101k+Input is not sanitized
#5084WEN Featured Image761183k+Input is not validated
#5085Pelecard Gateway7629554400Text Domain Mismatch
#5086Hide Dashboard Notifications76101020k+Output is not escaped
#5087WP SAML Auth767257k+Nonce verification recommended
#5088ACF Galerie 47716232k+Text Domain Mismatch
#5089Always Edit In HTML77751k+Output is not escaped
#5090Before After Image Comparison – Visual Comparison for Two Images7718163k+Text Domain Mismatch
#5091Custom Profile Menu for BuddyPress7784400Output is not escaped
#5092Canonical SEO Content Syndication WordPress Plugin7748400Missing nonce verification
#5093Honeypot Plus for Contact Form 777317700Missing nonce verification
#5094Color Your Bar77510400Input is not sanitized
#5095CodeKit – Custom Codes Editor7711295k+Non-prefixed global variable
#5096Custom Fonts – Host Your Fonts Locally771420400k+Request data is not unslashed
#5097Custom HTML Block Extension778137k+Missing direct file access protection
#5098Disable WP Registration Page Spam775121k+Nonce verification recommended
#5099Ecomail777131k+Non-prefixed global variable
#5100ELEX Hide WooCommerce Shipping Methods7783541k+Text Domain Mismatch