WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #5401 | Automatically Paginate Posts | 90 | 12 | 2 | 2k+ | wp function not compatible with requires wp | ||
| #5402 | Content Anchor Links | 90 | 6 | 5 | 1k+ | Non-prefixed hook name | ||
| #5403 | Cryptocurrency Widgets For Elementor | 90 | 1 | 33 | 1k+ | Non-prefixed global variable | ||
| #5404 | Cloudflare SSL by Weslink | 90 | 3 | 7 | 2k+ | trademarked term | ||
| #5405 | Fusion Page Builder : Extension – Button | 90 | 4 | 5 | 400 | Input is not validated | ||
| #5406 | Nav Menu Item Duplicator | 90 | 16 | 4 | 500 | wp function not compatible with requires wp | ||
| #5407 | PromPress | 90 | 8 | 4 | 700 | Missing direct file access protection | ||
| #5408 | Publish To Apple News | 90 | 882 | 2 | 5k+ | Text Domain Mismatch | ||
| #5409 | Relevanssi Live Ajax Search | 90 | 4 | 22 | 6k+ | Non-prefixed global variable | ||
| #5410 | reCaptcha for WooCommerce | 91 | 116 | 9 | 400 | Text Domain Mismatch | ||
| #5411 | Antispam for Elementor Forms | 91 | 3 | 3 | 1k+ | Missing Translators Comment | ||
| #5412 | Astra Bulk Edit | 91 | 4 | 3 | 30k+ | Missing direct file access protection | ||
| #5413 | Blockenberg — 600+ Advanced Gutenberg Blocks for WordPress Block Editor | 91 | 4 | 6 | 600 | block api version too low | ||
| #5414 | CryptoCloud – Crypto Payment Gateway | 91 | 13 | 6 | 400 | Text Domain Mismatch | ||
| #5415 | Helio Pay (Accept 1-click crypto payments #USDC #SOL #BTC #ETH) | 91 | 8 | 11 | 500 | Missing direct file access protection | ||
| #5416 | Icon List Block – Add Icon-Based Lists with Custom Styles | 91 | 3 | 7 | 4k+ | Not In Footer | ||
| #5417 | If Modified Since | 91 | 2 | 4 | 1k+ | Request data is not unslashed | ||
| #5418 | Ollie Menu Designer | 91 | 45 | 4k+ | Non-prefixed global variable | |||
| #5419 | Pantheon Advanced Page Cache | 91 | 10 | 6 | 10k+ | Request data is not unslashed | ||
| #5420 | Query Loop Load More | 91 | 2 | 6 | 600 | Post Not In exclude | ||
| #5421 | Responsive Tabs | 91 | 59 | 9 | 4k+ | Non Singular String Literal Domain | ||
| #5422 | Simple Chat Button | 91 | 4 | 40k+ | Nonce verification recommended | |||
| #5423 | WebAuthn Provider for Two Factor | 91 | 6 | 14 | 1k+ | Missing Arg Domain | ||
| #5424 | Unveil Lazy Load | 91 | 2 | 6 | 2k+ | error log error log | ||
| #5425 | WP SSL Redirect | 91 | 1 | 8 | 700 | trademarked term | ||
| #5426 | Ads.txt Manager | 92 | 4 | 4 | 100k+ | Missing direct file access protection | ||
| #5427 | Coming Soon Maintenance Mode | 92 | 65 | 6k+ | Non-prefixed global variable | |||
| #5428 | Daisy Titles — Style & Hide Page and Post Titles | 92 | 1 | 5 | 3k+ | Discouraged text-domain loading | ||
| #5429 | External Permalinks Redux | 92 | 9 | 8 | 2k+ | Non-prefixed hook name | ||
| #5430 | Fluent Forms Block | 92 | 4 | 18 | 2k+ | Non-prefixed global variable | ||
| #5431 | GM Block Bots | 92 | 1 | 3 | 900 | Input is not sanitized | ||
| #5432 | Google Photos embed | 92 | 2 | 5 | 700 | trademarked term | ||
| #5433 | Phone Validator with Flags for WooCommerce | 92 | 3 | 2 | 800 | badly named files | ||
| #5434 | Verify domain for Apple Pay with Stripe | 92 | 3 | 2 | 600 | Input is not sanitized | ||
| #5435 | Clear Autoptimize Cache Automatically | 93 | 3 | 9 | 4k+ | Request data is not unslashed | ||
| #5436 | Disable Blog | 93 | 2 | 22 | 10k+ | Non-prefixed global variable | ||
| #5437 | Disable CSS JS Cache | 93 | 9 | 400 | Non-prefixed function | |||
| #5438 | Image Carousel Module for Divi | 93 | 131 | 3 | 9k+ | Text Domain Mismatch | ||
| #5439 | Version Info – Server Health Monitor, PHP & MySQL Version Display, Environment Indicators | 93 | 13 | 10k+ | Request data is not unslashed | |||
| #5440 | Product Author for WooCommerce | 93 | 3 | 6 | 500 | Missing direct file access protection | ||
| #5441 | Gravity Forms Zero Spam | 94 | 4 | 9 | 100k+ | trademarked term | ||
| #5442 | No-Indexer | 94 | 5 | 6 | 500 | Non-prefixed function | ||
| #5443 | Robots.txt Quick Editor | 94 | 1 | 4 | 900 | Request data is not unslashed | ||
| #5444 | Blocks Animation: CSS Animations for Gutenberg Blocks | 95 | 1 | 14 | 90k+ | Non-prefixed global variable | ||
| #5445 | Free Customer Service Tools by OpenWidget | 95 | 2 | 1 | 400 | Request data is not unslashed |