WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5051 | OXY Re-Login Window | 75 | 5 | 7 | 500 | Missing Version | ||
| #5052 | PopupAlly | 75 | 40 | 10 | 2k+ | Missing direct file access protection | ||
| #5053 | Post Type Switcher | 75 | 3 | 18 | 200k+ | Direct Query | ||
| #5054 | Rapyd Payment Extension for WooCommerce | 75 | 50 | 33 | 400 | Text Domain Mismatch | ||
| #5055 | reCAPTCHA for bbPress | 75 | 14 | 19 | 800 | Non-prefixed function | ||
| #5056 | Registration Form for WooCommerce | 75 | 5 | 42 | 900 | Non-prefixed global variable | ||
| #5057 | Services Section Block – Showcase Service Details in Grid or Columns | 75 | 9 | 19 | 2k+ | Non-prefixed namespace | ||
| #5058 | Matterport Shortcode | 75 | 21 | 30 | 3k+ | Text Domain Mismatch | ||
| #5059 | Simple SMTP by Maileroo | 75 | 40 | 8 | 700 | Text Domain Mismatch | ||
| #5060 | Styled Calendar – Customizable, Mobile Responsive Google Calendar Embeds | 75 | 8 | 8 | 1k+ | Exception output is not escaped | ||
| #5061 | Temporary Login | 75 | 3 | 25 | 40k+ | Nonce verification recommended | ||
| #5062 | Custom Product Tabs Lite for WooCommerce | 75 | 3 | 11 | 4k+ | Input is not validated | ||
| #5063 | Extra Product Sorting Options for WooCommerce | 75 | 10 | 16 | 10k+ | Text Domain Mismatch | ||
| #5064 | WP Hide Dashboard | 75 | 6 | 10 | 2k+ | trademarked term | ||
| #5065 | WP-HTML-Compression | 75 | 7 | 22 | 1k+ | Input is not sanitized | ||
| #5066 | YITH Slider for page builders | 75 | 13 | 22 | 1k+ | Nonce verification recommended | ||
| #5067 | Aruba Fatturazione Elettronica | 76 | 34 | 700 | Missing nonce verification | |||
| #5068 | PiWeb Cancel order / Refund request for WooCommerce | 76 | 40 | 49 | 2k+ | wp function not compatible with requires wp | ||
| #5069 | Change Mail Sender | 76 | 97 | 19 | 20k+ | Text Domain Mismatch | ||
| #5070 | Form to Chat App ⚡️ | 76 | 4 | 13 | 2k+ | Nonce verification recommended | ||
| #5071 | Input Masks for Contact Form 7 | 76 | 143 | 12 | 800 | wp function not compatible with requires wp | ||
| #5072 | Payment Gateway for Authorize.net for WooCommerce | 76 | 6 | 16 | 700 | Input is not sanitized | ||
| #5073 | PDF Flipbook Heyzine | 76 | 3 | 46 | 1k+ | Non-prefixed global variable | ||
| #5074 | Preload Images | 76 | 8 | 6 | 1k+ | Output is not escaped | ||
| #5075 | Rearrange Products for WooCommerce | 76 | 1 | 22 | 20k+ | Input is not sanitized | ||
| #5076 | Search Regex | 76 | 6 | 25 | 100k+ | Direct Query | ||
| #5077 | Siteready Coming Soon Under Construction | 76 | 6 | 30 | 3k+ | Non-prefixed global variable | ||
| #5078 | Smartideo | 76 | 8 | 3 | 1k+ | Output is not escaped | ||
| #5079 | Store file uploads for Contact Form 7 | 76 | 5 | 6 | 1k+ | Output is not escaped | ||
| #5080 | Category Order and Taxonomy Terms Order | 76 | 35 | 10 | 500k+ | wp function not compatible with requires wp | ||
| #5081 | Telephone Input For Contact Form 7 | 76 | 18 | 10 | 600 | Text Domain Mismatch | ||
| #5082 | Contact Form 7 Text CAPTCHA | 76 | 14 | 34 | 1k+ | Non-prefixed global variable | ||
| #5083 | The Future Is Now | 76 | 3 | 10 | 1k+ | Input is not sanitized | ||
| #5084 | WEN Featured Image | 76 | 1 | 18 | 3k+ | Input is not validated | ||
| #5085 | Pelecard Gateway | 76 | 295 | 54 | 400 | Text Domain Mismatch | ||
| #5086 | Hide Dashboard Notifications | 76 | 10 | 10 | 20k+ | Output is not escaped | ||
| #5087 | WP SAML Auth | 76 | 7 | 25 | 7k+ | Nonce verification recommended | ||
| #5088 | ACF Galerie 4 | 77 | 16 | 23 | 2k+ | Text Domain Mismatch | ||
| #5089 | Always Edit In HTML | 77 | 7 | 5 | 1k+ | Output is not escaped | ||
| #5090 | Before After Image Comparison – Visual Comparison for Two Images | 77 | 18 | 16 | 3k+ | Text Domain Mismatch | ||
| #5091 | Custom Profile Menu for BuddyPress | 77 | 8 | 4 | 400 | Output is not escaped | ||
| #5092 | Canonical SEO Content Syndication WordPress Plugin | 77 | 4 | 8 | 400 | Missing nonce verification | ||
| #5093 | Honeypot Plus for Contact Form 7 | 77 | 3 | 17 | 700 | Missing nonce verification | ||
| #5094 | Color Your Bar | 77 | 5 | 10 | 400 | Input is not sanitized | ||
| #5095 | CodeKit – Custom Codes Editor | 77 | 11 | 29 | 5k+ | Non-prefixed global variable | ||
| #5096 | Custom Fonts – Host Your Fonts Locally | 77 | 14 | 20 | 400k+ | Request data is not unslashed | ||
| #5097 | Custom HTML Block Extension | 77 | 8 | 13 | 7k+ | Missing direct file access protection | ||
| #5098 | Disable WP Registration Page Spam | 77 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #5099 | Ecomail | 77 | 7 | 13 | 1k+ | Non-prefixed global variable | ||
| #5100 | ELEX Hide WooCommerce Shipping Methods | 77 | 83 | 54 | 1k+ | Text Domain Mismatch |