WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#5401Automatically Paginate Posts901222k+wp function not compatible with requires wp
#5402Content Anchor Links90651k+Non-prefixed hook name
#5403Cryptocurrency Widgets For Elementor901331k+Non-prefixed global variable
#5404Cloudflare SSL by Weslink90372k+trademarked term
#5405Fusion Page Builder : Extension – Button9045400Input is not validated
#5406Nav Menu Item Duplicator90164500wp function not compatible with requires wp
#5407PromPress9084700Missing direct file access protection
#5408Publish To Apple News9088225k+Text Domain Mismatch
#5409Relevanssi Live Ajax Search904226k+Non-prefixed global variable
#5410reCaptcha for WooCommerce911169400Text Domain Mismatch
#5411Antispam for Elementor Forms91331k+Missing Translators Comment
#5412Astra Bulk Edit914330k+Missing direct file access protection
#5413Blockenberg — 600+ Advanced Gutenberg Blocks for WordPress Block Editor9146600block api version too low
#5414CryptoCloud – Crypto Payment Gateway91136400Text Domain Mismatch
#5415Helio Pay (Accept 1-click crypto payments #USDC #SOL #BTC #ETH)91811500Missing direct file access protection
#5416Icon List Block – Add Icon-Based Lists with Custom Styles91374k+Not In Footer
#5417If Modified Since91241k+Request data is not unslashed
#5418Ollie Menu Designer91454k+Non-prefixed global variable
#5419Pantheon Advanced Page Cache9110610k+Request data is not unslashed
#5420Query Loop Load More9126600Post Not In exclude
#5421Responsive Tabs915994k+Non Singular String Literal Domain
#5422Simple Chat Button91440k+Nonce verification recommended
#5423WebAuthn Provider for Two Factor916141k+Missing Arg Domain
#5424Unveil Lazy Load91262k+error log error log
#5425WP SSL Redirect9118700trademarked term
#5426Ads.txt Manager9244100k+Missing direct file access protection
#5427Coming Soon Maintenance Mode92656k+Non-prefixed global variable
#5428Daisy Titles — Style & Hide Page and Post Titles92153k+Discouraged text-domain loading
#5429External Permalinks Redux92982k+Non-prefixed hook name
#5430Fluent Forms Block924182k+Non-prefixed global variable
#5431GM Block Bots9213900Input is not sanitized
#5432Google Photos embed9225700trademarked term
#5433Phone Validator with Flags for WooCommerce9232800badly named files
#5434Verify domain for Apple Pay with Stripe9232600Input is not sanitized
#5435Clear Autoptimize Cache Automatically93394k+Request data is not unslashed
#5436Disable Blog9322210k+Non-prefixed global variable
#5437Disable CSS JS Cache939400Non-prefixed function
#5438Image Carousel Module for Divi9313139k+Text Domain Mismatch
#5439Version Info – Server Health Monitor, PHP & MySQL Version Display, Environment Indicators931310k+Request data is not unslashed
#5440Product Author for WooCommerce9336500Missing direct file access protection
#5441Gravity Forms Zero Spam9449100k+trademarked term
#5442No-Indexer9456500Non-prefixed function
#5443Robots.txt Quick Editor9414900Request data is not unslashed
#5444Blocks Animation: CSS Animations for Gutenberg Blocks9511490k+Non-prefixed global variable
#5445Free Customer Service Tools by OpenWidget9521400Request data is not unslashed