WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5351 | Delete product images for WooCommerce | 86 | 3 | 13 | 1k+ | Direct Query | ||
| #5352 | PayPal Enterprise Payments (formerly Braintree) for WooCommerce | 86 | 3 | 33 | 10k+ | Direct Query | ||
| #5353 | WordClever – AI Content Writer | 86 | 4 | 2 | 3k+ | Missing direct file access protection | ||
| #5354 | WP Consent API | 86 | 2 | 10 | 200k+ | Input is not sanitized | ||
| #5355 | WP101 Video Tutorial Plugin | 86 | 15 | 18 | 10k+ | Missing direct file access protection | ||
| #5356 | Advanced Image Comparison for Elementor | 87 | 1 | 5 | 1k+ | Nonce verification recommended | ||
| #5357 | Author Filters | 87 | 2 | 7 | 1k+ | Nonce verification recommended | ||
| #5358 | SmartText Rotator – Add Motion to Your Words | 87 | 88 | 6 | 1k+ | Text Domain Mismatch | ||
| #5359 | GTM Kit – Google Tag Manager & GA4 integration | 87 | 5 | 17 | 30k+ | Missing direct file access protection | ||
| #5360 | Booking Engine by Lodgify | 87 | 5 | 15 | 700 | Non-prefixed global variable | ||
| #5361 | Manage/View Your Posts Only | 87 | 5 | 3 | 400 | Input is not sanitized | ||
| #5362 | Menu Caching | 87 | 3 | 12 | 500 | Request data is not unslashed | ||
| #5363 | Minimum Purchase Amount For Woo Cart – For WooCommerce | 87 | 72 | 8 | 5k+ | Text Domain Mismatch | ||
| #5364 | Slug or PostID | 87 | 3 | 4 | 600 | Missing nonce verification | ||
| #5365 | Unnotifier — disable admin notices individually | 87 | 5 | 11 | 700 | Missing Translators Comment | ||
| #5366 | Coupon Box for WooCommerce | 87 | 11 | 85 | 1k+ | Non-prefixed global variable | ||
| #5367 | WP Admin Basic Auth | 87 | 5 | 6 | 2k+ | Input is not sanitized | ||
| #5368 | Redirect 404 to Homepage | 88 | 4 | 4 | 70k+ | parse url parse url | ||
| #5369 | Add URL Slugs as Body Classes | 88 | 4 | 3 | 700 | Input is not sanitized | ||
| #5370 | Autocomplete Location Field for Contact Form 7 | 88 | 3 | 9 | 1k+ | Missing nonce verification | ||
| #5371 | Blogify-AI | 88 | 6 | 12 | 400 | Non-prefixed global variable | ||
| #5372 | Captcha by Yandex for Contact Form 7 | 88 | 9 | 12 | 3k+ | Text Domain Mismatch | ||
| #5373 | Disable Registration Page | 88 | 4 | 6 | 400 | Text Domain Mismatch | ||
| #5374 | Duplicate Pages, Posts and CPT | 88 | 2 | 5 | 5k+ | Input is not sanitized | ||
| #5375 | Emoji Settings | 88 | 4 | 5 | 2k+ | Input is not sanitized | ||
| #5376 | Facebook Chat Plugin – Live Chat Plugin for WordPress | 88 | 7 | 8 | 80k+ | trademarked term | ||
| #5377 | Image Hover Effects – WordPress Plugin | 88 | 2 | 5 | 3k+ | Input is not sanitized | ||
| #5378 | Include Me | 88 | 7 | 7 | 4k+ | Short PHP open tag found | ||
| #5379 | mypace Custom Title Tag | 88 | 3 | 6 | 500 | Input is not sanitized | ||
| #5380 | Nav Menu Manager | 88 | 9 | 17 | 800 | Request data is not unslashed | ||
| #5381 | Organic Profile Block | 88 | 3 | 6 | 1k+ | Input is not validated | ||
| #5382 | ProScores – Live Scores | 88 | 12 | 4 | 800 | wp function not compatible with requires wp | ||
| #5383 | Regen. Thumbs | 88 | 3 | 3 | 400 | Input is not sanitized | ||
| #5384 | Scriptless Social Sharing | 88 | 8 | 9 | 10k+ | Missing direct file access protection | ||
| #5385 | WPBakery Page Builder Simple All Responsive | 88 | 4 | 6 | 1k+ | Missing direct file access protection | ||
| #5386 | A Random Number | 89 | 3 | 5 | 800 | Non-prefixed function | ||
| #5387 | Attachment Taxonomies | 89 | 1 | 8 | 900 | Input is not sanitized | ||
| #5388 | Bold pagos en linea | 89 | 4 | 32 | 4k+ | Non-prefixed global variable | ||
| #5389 | Classic Widgets with Block-based Widgets | 89 | 1 | 4 | 1k+ | Input is not sanitized | ||
| #5390 | Convert to Blocks | 89 | 2 | 11 | 2k+ | Non-prefixed hook name | ||
| #5391 | Add Featured Image Custom Link | 89 | 3 | 6 | 1k+ | Request data is not unslashed | ||
| #5392 | Document Embedder Addons for Elementor – Embed Documents in Elementor Websites | 89 | 4 | 6k+ | Input is not validated | |||
| #5393 | LH Copy Media File | 89 | 21 | 5 | 800 | wp function not compatible with requires wp | ||
| #5394 | Reading Time WP | 89 | 5 | 33 | 30k+ | Non-prefixed global variable | ||
| #5395 | seQura | 89 | 2 | 23 | 1k+ | Non-prefixed global variable | ||
| #5396 | Server IP & Memory Usage Display | 89 | 3 | 5 | 30k+ | Input is not sanitized | ||
| #5397 | SiteLock Security – WP Hardening, Login Security & Malware Scans | 89 | 44 | 9 | 1k+ | Text Domain Mismatch | ||
| #5398 | Web-Stat | 89 | 2 | 6 | 5k+ | Input is not sanitized | ||
| #5399 | Codevyne SEO Meta Keywords | 89 | 3 | 7 | 4k+ | Non-prefixed function | ||
| #5400 | Automatically Paginate Posts | 90 | 12 | 2 | 2k+ | wp function not compatible with requires wp |