WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Updated | Top Issue |
|---|---|---|---|---|---|---|---|
| #1551 | Email Marketing by EmailOctopus | 39 | 43 | 62 | 3k+ | Non Prefixed Variable Found | |
| #1552 | Export All URLs | 39 | 151 | 45 | 50k+ | Non Singular String Literal Domain | |
| #1553 | BestWebSoft's Like & Share – Posts, Pages and Widget Social Extension plugin for WordPress | 39 | 480 | 226 | 4k+ | Text Domain Mismatch | |
| #1554 | Genesis Dambuster | 39 | 94 | 67 | 3k+ | Output Not Escaped | |
| #1555 | Gift Up Gift Cards for WordPress and WooCommerce | 39 | 94 | 60 | 5k+ | Output Not Escaped | |
| #1556 | Prisna GWT – Google Website Translator | 39 | 117 | 77 | 8k+ | Text Domain Mismatch | |
| #1557 | GoSMTP – SMTP for WordPress | 39 | 59 | 42 | 500k+ | Output Not Escaped | |
| #1558 | Graphina – Charts and Graphs For Elementor | 39 | 1,895 | 113 | 10k+ | Text Domain Mismatch | |
| #1559 | HD Quiz | 39 | 252 | 81 | 7k+ | Output Not Escaped | |
| #1560 | Maintenance Mode | 39 | 86 | 109 | 7k+ | Output Not Escaped | |
| #1561 | If Menu – Visibility control for Menus | 39 | 281 | 63 | 50k+ | Output Not Escaped | |
| #1562 | Improved Save Button | 39 | 44 | 52 | 4k+ | Missing Translators Comment | |
| #1563 | Insert Html Snippet | 39 | 159 | 205 | 20k+ | Output Not Escaped | |
| #1564 | Korea SNS | 39 | 88 | 30 | 4k+ | Unsafe Printing Function | |
| #1565 | LuckyWP Table of Contents | 39 | 438 | 62 | 100k+ | Output Not Escaped | |
| #1566 | Magazine Blocks – Blog Designer, Magazine & Newspaper Website Builder, Page Builder with Posts Blocks, Post Grid | 39 | 65 | 72 | 6k+ | block api version too low | |
| #1567 | Mail Subscribe List | 39 | 17 | 94 | 3k+ | Input Not Validated | |
| #1568 | MC4WP: Mailchimp for WordPress | 39 | 1 | 294 | 1m+ | Non Prefixed Variable Found | |
| #1569 | Media Sync | 39 | 193 | 7 | 50k+ | Echo Found | |
| #1570 | Meks Easy Photo Feed Widget | 39 | 77 | 27 | 10k+ | Output Not Escaped | |
| #1571 | Movable Type and TypePad Importer | 39 | 42 | 25 | 20k+ | Output Not Escaped | |
| #1572 | Multilingual Contact Form 7 with Polylang | 39 | 50 | 30 | 9k+ | Text Domain Mismatch | |
| #1573 | SOGO Add Script to Individual Pages Header Footer | 39 | 74 | 40 | 20k+ | Output Not Escaped | |
| #1574 | Permalink Manager for WooCommerce | 39 | 116 | 24 | 8k+ | Echo Found | |
| #1575 | Product Enquiry for WooCommerce | 39 | 33 | 206 | 10k+ | Non Prefixed Variable Found | |
| #1576 | Product Video Gallery for Woocommerce | 39 | 63 | 36 | 10k+ | register setting Missing | |
| #1577 | QR Redirector | 39 | 48 | 54 | 4k+ | Output Not Escaped | |
| #1578 | Radio Buttons for Taxonomies | 39 | 40 | 24 | 20k+ | Output Not Escaped | |
| #1579 | Redirect 404 Error Page to Homepage or Custom Page with Logs | 39 | 27 | 53 | 10k+ | Recommended | |
| #1580 | Scripts n Styles | 39 | 150 | 92 | 30k+ | Output Not Escaped | |
| #1581 | SEO Friendly Images | 39 | 292 | 20 | 20k+ | Output Not Escaped | |
| #1582 | Taxonomy Thumbnail | 39 | 27 | 58 | 3k+ | Non Prefixed Function Found | |
| #1583 | Shipping Simulator for WooCommerce | 39 | 120 | 39 | 5k+ | Text Domain Mismatch | |
| #1584 | Simple Membership WP user Import | 39 | 22 | 46 | 4k+ | Missing Unslash | |
| #1585 | Simple Staff List | 39 | 90 | 236 | 3k+ | Non Prefixed Variable Found | |
| #1586 | Soumettre.fr | 39 | 130 | 26 | 10k+ | Text Domain Mismatch | |
| #1587 | Sydney Toolbox | 39 | 84 | 62 | 50k+ | Unsafe Printing Function | |
| #1588 | TinyMCE Custom Styles | 39 | 297 | 76 | 7k+ | Non Singular String Literal Domain | |
| #1589 | Uptolike Social Share Buttons | 39 | 38 | 33 | 4k+ | Output Not Escaped | |
| #1590 | UserHeat Plugin | 39 | 121 | 20 | 6k+ | Non Singular String Literal Domain | |
| #1591 | Accessibility by UserWay | 39 | 22 | 35 | 80k+ | Direct Query | |
| #1592 | Smart Variation Swatches and Attribute Filters for WooCommerce | 39 | 39 | 50 | 3k+ | Output Not Escaped | |
| #1593 | Visual Portfolio, Photo Gallery & Post Grid | 39 | 34 | 189 | 60k+ | Non Prefixed Hookname Found | |
| #1594 | Smart COD for WooCommerce | 39 | 50 | 28 | 30k+ | Output Not Escaped | |
| #1595 | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | 39 | 89 | 117 | 20k+ | Unsafe Printing Function | |
| #1596 | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x | 39 | 7 | 222 | 20k+ | Non Prefixed Hookname Found | |
| #1597 | PayU GPO Payment for WooCommerce | 39 | 44 | 91 | 10k+ | Output Not Escaped | |
| #1598 | WPC Product Bundles for WooCommerce | 39 | 33 | 141 | 30k+ | Missing Unslash | |
| #1599 | Wallet for WooCommerce | 39 | 36 | 503 | 20k+ | Non Prefixed Hookname Found | |
| #1600 | WooCommerce Product Dependencies | 39 | 44 | 60 | 3k+ | Missing |
