WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5351Delete product images for WooCommerce863131k+Direct Query
#5352PayPal Enterprise Payments (formerly Braintree) for WooCommerce8633310k+Direct Query
#5353WordClever – AI Content Writer86423k+Missing direct file access protection
#5354WP Consent API86210200k+Input is not sanitized
#5355WP101 Video Tutorial Plugin86151810k+Missing direct file access protection
#5356Advanced Image Comparison for Elementor87151k+Nonce verification recommended
#5357Author Filters87271k+Nonce verification recommended
#5358SmartText Rotator – Add Motion to Your Words878861k+Text Domain Mismatch
#5359GTM Kit – Google Tag Manager & GA4 integration8751730k+Missing direct file access protection
#5360Booking Engine by Lodgify87515700Non-prefixed global variable
#5361Manage/View Your Posts Only8753400Input is not sanitized
#5362Menu Caching87312500Request data is not unslashed
#5363Minimum Purchase Amount For Woo Cart – For WooCommerce877285k+Text Domain Mismatch
#5364Slug or PostID8734600Missing nonce verification
#5365Unnotifier — disable admin notices individually87511700Missing Translators Comment
#5366Coupon Box for WooCommerce8711851k+Non-prefixed global variable
#5367WP Admin Basic Auth87562k+Input is not sanitized
#5368Redirect 404 to Homepage884470k+parse url parse url
#5369Add URL Slugs as Body Classes8843700Input is not sanitized
#5370Autocomplete Location Field for Contact Form 788391k+Missing nonce verification
#5371Blogify-AI88612400Non-prefixed global variable
#5372Captcha by Yandex for Contact Form 7889123k+Text Domain Mismatch
#5373Disable Registration Page8846400Text Domain Mismatch
#5374Duplicate Pages, Posts and CPT88255k+Input is not sanitized
#5375Emoji Settings88452k+Input is not sanitized
#5376Facebook Chat Plugin – Live Chat Plugin for WordPress887880k+trademarked term
#5377Image Hover Effects – WordPress Plugin88253k+Input is not sanitized
#5378Include Me88774k+Short PHP open tag found
#5379mypace Custom Title Tag8836500Input is not sanitized
#5380Nav Menu Manager88917800Request data is not unslashed
#5381Organic Profile Block88361k+Input is not validated
#5382ProScores – Live Scores88124800wp function not compatible with requires wp
#5383Regen. Thumbs8833400Input is not sanitized
#5384Scriptless Social Sharing888910k+Missing direct file access protection
#5385WPBakery Page Builder Simple All Responsive88461k+Missing direct file access protection
#5386A Random Number8935800Non-prefixed function
#5387Attachment Taxonomies8918900Input is not sanitized
#5388Bold pagos en linea894324k+Non-prefixed global variable
#5389Classic Widgets with Block-based Widgets89141k+Input is not sanitized
#5390Convert to Blocks892112k+Non-prefixed hook name
#5391Add Featured Image Custom Link89361k+Request data is not unslashed
#5392Document Embedder Addons for Elementor – Embed Documents in Elementor Websites8946k+Input is not validated
#5393LH Copy Media File89215800wp function not compatible with requires wp
#5394Reading Time WP8953330k+Non-prefixed global variable
#5395seQura892231k+Non-prefixed global variable
#5396Server IP & Memory Usage Display893530k+Input is not sanitized
#5397SiteLock Security – WP Hardening, Login Security & Malware Scans894491k+Text Domain Mismatch
#5398Web-Stat89265k+Input is not sanitized
#5399Codevyne SEO Meta Keywords89374k+Non-prefixed function
#5400Automatically Paginate Posts901222k+wp function not compatible with requires wp