WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1401 | Offload Media – Cloud Storage | 29 | 126 | 80 | 1k+ | unlink unlink | ||
| #1402 | Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization | 29 | 80 | 162 | 200k+ | Nonce verification recommended | ||
| #1403 | Page Restrict for WooCommerce | 29 | 579 | 374 | 700 | Text Domain Mismatch | ||
| #1404 | Page View Count | 29 | 106 | 246 | 10k+ | Dynamic hook name | ||
| #1405 | PhastPress | 29 | 95 | 52 | 10k+ | Exception output is not escaped | ||
| #1406 | PlatiOnline Payments | 29 | 304 | 110 | 700 | Output is not escaped | ||
| #1407 | Post Timeline | 29 | 91 | 200 | 800 | Missing nonce verification | ||
| #1408 | Post Views Counter | 29 | 179 | 398 | 200k+ | Non-prefixed hook name | ||
| #1409 | Pósturinn\'s Shipping with WooCommerce | 29 | 713 | 551 | 500 | Text Domain Mismatch | ||
| #1410 | Recipe Card Blocks Lite | 29 | 151 | 408 | 10k+ | Non-prefixed global variable | ||
| #1411 | Relevant – Related, Featured, Latest, and Popular Posts by BestWebSoft | 29 | 487 | 262 | 800 | Text Domain Mismatch | ||
| #1412 | Responder | 29 | 77 | 185 | 3k+ | Non-prefixed global variable | ||
| #1413 | SamedayCourier Shipping | 29 | 336 | 269 | 4k+ | Non Singular String Literal Domain | ||
| #1414 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | ||
| #1415 | Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce | 29 | 148 | 246 | 5k+ | Unsafe printing function | ||
| #1416 | Slider by BestWebSoft | 29 | 478 | 336 | 400 | Text Domain Mismatch | ||
| #1417 | Social Engine | 29 | 133 | 90 | 600 | Exception output is not escaped | ||
| #1418 | SQLite Database Integration | 29 | 161 | 89 | 3k+ | Exception output is not escaped | ||
| #1419 | BuddyPress Builder for Elementor – BuddyBuilder | 29 | 348 | 329 | 1k+ | Text Domain Mismatch | ||
| #1420 | SureMembers – Membership & Content Restriction Plugin | 29 | 359 | 248 | 1k+ | Text Domain Mismatch | ||
| #1421 | Themify Popup | 29 | 232 | 108 | 8k+ | Text Domain Mismatch | ||
| #1422 | Themify – WooCommerce Product Filter | 29 | 643 | 145 | 20k+ | Output is not escaped | ||
| #1423 | Tilda-publishing | 29 | 219 | 78 | 700 | Output is not escaped | ||
| #1424 | Post Grid Gutenberg Blocks – PostX | 29 | 118 | 404 | 40k+ | Non-prefixed global variable | ||
| #1425 | Ultimate Auction for WooCommerce – Excellent WP Auction Plugin | 29 | 52 | 523 | 2k+ | Non-prefixed global variable | ||
| #1426 | User Verification by PickPlugins | 29 | 41 | 314 | 5k+ | Request data is not unslashed | ||
| #1427 | Visualizer – Tables & Charts Manager with Built-in AI Generator | 29 | 348 | 331 | 20k+ | Output is not escaped | ||
| #1428 | Custom Post Types and Custom Fields creator – WCK | 29 | 1,300 | 143 | 10k+ | Text Domain Mismatch | ||
| #1429 | Wenprise Alipay Gateway For WooCommerce | 29 | 113 | 68 | 700 | Exception output is not escaped | ||
| #1430 | Countdown Timer – Widget Countdown | 29 | 290 | 152 | 10k+ | Output is not escaped | ||
| #1431 | Widget for Yelp Reviews | 29 | 147 | 158 | 2k+ | Output is not escaped | ||
| #1432 | Product Carousel Slider & Grid Ultimate for WooCommerce | 29 | 719 | 122 | 6k+ | Text Domain Mismatch | ||
| #1433 | Sofortueberweisung Gateway for Woocommerce | 29 | 104 | 71 | 700 | Output is not escaped | ||
| #1434 | Global Payments SecureSubmit Gateway | 29 | 199 | 443 | 500 | Non-prefixed class | ||
| #1435 | Woostify Sites Library | 29 | 229 | 198 | 20k+ | Text Domain Mismatch | ||
| #1436 | WP Popular Posts | 29 | 77 | 300 | 100k+ | Non-prefixed global variable | ||
| #1437 | WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics | 29 | 118 | 128 | 5k+ | Output is not escaped | ||
| #1438 | WP Magazine Modules Lite | 29 | 152 | 674 | 5k+ | Non-prefixed global variable | ||
| #1439 | WP-PostRatings | 29 | 425 | 384 | 30k+ | Output is not escaped | ||
| #1440 | WP Subscribe | 29 | 79 | 79 | 7k+ | Non-prefixed class | ||
| #1441 | WPComplete | 29 | 383 | 333 | 1k+ | Output is not escaped | ||
| #1442 | Xagio SEO – AI Powered SEO | 29 | 2 | 1,273 | 10k+ | Direct Query | ||
| #1443 | XML for Google Merchant Center | 29 | 52 | 312 | 3k+ | Non-prefixed global variable | ||
| #1444 | Xpro Addons — 140+ Widgets for Elementor | 29 | 27 | 826 | 30k+ | Non-prefixed global variable | ||
| #1445 | Advanced Database Cleaner – Optimize & Clean Database to Speed Up Site Performance | 30 | 173 | 479 | 100k+ | Interpolated SQL is not prepared | ||
| #1446 | PublishPress Blocks – Block Controls, Block Visibility, Block Permissions | 30 | 239 | 417 | 20k+ | Non-prefixed global variable | ||
| #1447 | Aitasi Coming Soon | 30 | 516 | 186 | 1k+ | Output is not escaped | ||
| #1448 | Analytics Insights – Google Analytics Dashboard for WordPress | 30 | 241 | 170 | 10k+ | Unsafe printing function | ||
| #1449 | ApplyOnline – Application Form Builder and Manager | 30 | 345 | 244 | 2k+ | Output is not escaped | ||
| #1450 | Contact Form 7 Connector | 30 | 324 | 196 | 5k+ | Text Domain Mismatch |