WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5251Simple ads.txt82861k+Missing direct file access protection
#5252Simple Page Ordering82119100k+Missing Arg Domain
#5253Image Slider Block8213143k+wp function not compatible with requires wp
#5254Sucuri Security – Auditing, Malware Scanner and Security Hardening825111600k+Missing direct file access protection
#5255Tabs in Post Editor8247500Input is not validated
#5256Tasty Recipes Lite827662k+Non-prefixed global variable
#5257Testimonial Block821312500wp function not compatible with requires wp
#5258Unyson WooComerce Shortcodes82117111k+Text Domain Mismatch
#5259Extra Price Fields for Woocommerce- Display extra price info on Woocommerce products826102k+Missing nonce verification
#5260WP Fail2Ban Redux821107k+trademarked term
#5261WP Mail From II82375k+trademarked term
#5262Xpro Theme Builder For Elementor – FREE82142810k+Missing direct file access protection
#5263Add To Cart Button Customizations836614400Text Domain Mismatch
#5264Admin in English83471k+Input is not sanitized
#5265Browser Theme Color83422k+Output is not escaped
#5266Check Conflicts8336121k+Missing Arg Domain
#5267Event Organiser Posterboard833111k+Nonce verification recommended
#5268AI Builder8335400Output is not escaped
#5269FormFacade – Embed Google Forms in your website838171k+Nonce verification recommended
#5270GET Params83381k+Nonce verification recommended
#5271JSM Force HTTP to HTTPS / SSL – No Setup, Fast and Reliable83117k+Request data is not unslashed
#5272Max upload filesize83389k+Input is not validated
#5273Media Player Addons for Elementor – Audio and Video Widgets for Elementor83181k+Nonce verification recommended
#5274Menu Duplicator832910k+Non-prefixed constant
#5275Easy Photography Portfolio8338332k+Missing direct file access protection
#5276PlugVersions – Easily roll back to previous versions of your plugins.83961k+Request data is not unslashed
#5277Preserve Editor Scroll Position83264k+Missing nonce verification
#5278Relevanssi Light83323600Direct Query
#5279RumbleTalk Live Group Chat – HTML583913700Missing direct file access protection
#5280Lightweight Sidebar Manager83133680k+Non-prefixed class
#5281Soro – SEO Autopilot & AI Content Writer8341010k+Input is not sanitized
#5282TCD Classic Editor831115k+Nonce verification recommended
#5283Team Section Block – Showcase Team Members with Layout Options831211k+Non-prefixed namespace
#5284Template Kit – Export837908k+Non-prefixed global variable
#5285Term Duplicator8356500Input is not sanitized
#5286Unlist Posts & Pages835910k+Nonce verification recommended
#5287SKU Label Changer For WooCommerce83811700Missing direct file access protection
#5288WP BASIC Auth834134k+Input is not sanitized
#5289Campo RUT para CF78467600Missing nonce verification
#5290Add Descendants As Submenu Items84382k+Missing nonce verification
#5291AnimateGL Animations for WordPress – Elementor & Gutenberg Blocks Animations8488203k+Text Domain Mismatch
#5292BinancePay Checkout for WooCommerce84514800Input is not validated
#5293Cache Buster8456400Input is not sanitized
#5294Digital Signature For Contact Form 78422115k+file system operations fwrite
#5295Disable Elements for WPBakery Page Builder8429500trademarked term
#5296Duplicate taxonomy terms and ACF fields8438500Input is not validated
#5297Editor Enhancer for Oxygen84310500Nonce verification recommended
#5298Enable Turnstile (Cloudflare) for Gravity Forms8487700Missing direct file access protection
#5299FEWC – Extra Checkout Fields For WooCommerce84741700Non-prefixed global variable
#5300JWT Authentication for WP REST API84274160k+wp function not compatible with requires wp