WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1601 | Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity | 31 | 122 | 131 | 2k+ | Output is not escaped | ||
| #1602 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | ||
| #1603 | Mailgun for WordPress | 31 | 144 | 78 | 80k+ | Unsafe printing function | ||
| #1604 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #1605 | Melapress Login Security | 31 | 69 | 278 | 2k+ | Non-prefixed global variable | ||
| #1606 | Openpay Cards Plugin | 31 | 166 | 105 | 3k+ | Text Domain Mismatch | ||
| #1607 | Openpay Stores Plugin | 31 | 121 | 75 | 1k+ | Non-prefixed global variable | ||
| #1608 | PanoPress | 31 | 111 | 234 | 2k+ | Output is not escaped | ||
| #1609 | Patreon WordPress | 31 | 276 | 339 | 3k+ | Output is not escaped | ||
| #1610 | PayKeeper Payment Gateway for WooCommerce | 31 | 113 | 44 | 400 | Non Singular String Literal Domain | ||
| #1611 | افزونه پیامک ووکامرس Persian WooCommerce SMS | 31 | 72 | 269 | 40k+ | Nonce verification recommended | ||
| #1612 | Podamibe Simple Footer Widget Area | 31 | 596 | 57 | 2k+ | wp function not compatible with requires wp | ||
| #1613 | Pop-up | 31 | 103 | 91 | 10k+ | Output is not escaped | ||
| #1614 | Portfolio, Gallery, Product Catalog – Grid KIT Portfolio | 31 | 61 | 329 | 6k+ | Non-prefixed global variable | ||
| #1615 | Post Pay Counter | 31 | 639 | 238 | 1k+ | Output is not escaped | ||
| #1616 | Product Configurator for WooCommerce | 31 | 41 | 557 | 3k+ | Non-prefixed hook name | ||
| #1617 | Active Products Tables for WooCommerce. Use constructor to create tables | 31 | 364 | 424 | 1k+ | Output is not escaped | ||
| #1618 | Qi Blocks | 31 | 46 | 345 | 60k+ | Non-prefixed global variable | ||
| #1619 | Qode Essential Addons | 31 | 55 | 295 | 10k+ | Non-prefixed global variable | ||
| #1620 | Query Monitor | 31 | 44 | 273 | 200k+ | Non-prefixed class | ||
| #1621 | Raffle Play Woocommerce | 31 | 151 | 199 | 800 | Output is not escaped | ||
| #1622 | Re:amaze Helpdesk & Live Chat | 31 | 96 | 115 | 400 | Output is not escaped | ||
| #1623 | reCAPTCHA in WP comments form | 31 | 264 | 60 | 8k+ | Output is not escaped | ||
| #1624 | Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg) | 31 | 460 | 201 | 30k+ | Non Singular String Literal Domain | ||
| #1625 | Coming Soon Page & Maintenance Mode | 31 | 613 | 266 | 3k+ | Text Domain Mismatch | ||
| #1626 | Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | 31 | 45 | 373 | 4m+ | Non-prefixed global variable | ||
| #1627 | Social Share Buttons | 31 | 462 | 156 | 1k+ | Text Domain Mismatch | ||
| #1628 | Sidebar Manager Light | 31 | 221 | 76 | 1k+ | Text Domain Mismatch | ||
| #1629 | Simple calendar for Elementor | 31 | 125 | 270 | 500 | Direct Query | ||
| #1630 | Page Builder by SiteOrigin | 31 | 226 | 214 | 400k+ | Output is not escaped | ||
| #1631 | Slider Carousel – Image Slider | 31 | 224 | 1,233 | 3k+ | Request data is not unslashed | ||
| #1632 | Smart Keywords Tool – 智能关键词插件 | 31 | 361 | 33 | 600 | Non Singular String Literal Domain | ||
| #1633 | SmartBill Facturare si Gestiune | 31 | 421 | 164 | 5k+ | Text Domain Mismatch | ||
| #1634 | SpeedyCache – Cache, Optimization, Performance | 31 | 65 | 118 | 600k+ | Input is not validated | ||
| #1635 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | SQL query is not prepared | ||
| #1636 | Stackable – Page Builder Gutenberg Blocks | 31 | 477 | 90 | 100k+ | Non Singular String Literal Domain | ||
| #1637 | Swatchly – Product Variation Swatches for WooCommerce | 31 | 540 | 214 | 5k+ | Output is not escaped | ||
| #1638 | Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg | 31 | 459 | 282 | 7k+ | Non Singular String Literal Domain | ||
| #1639 | WP Testimonials | 31 | 183 | 455 | 10k+ | Non-prefixed global variable | ||
| #1640 | Themify Store Locator | 31 | 244 | 125 | 500 | Text Domain Mismatch | ||
| #1641 | Tutor LMS Elementor Addons | 31 | 227 | 457 | 30k+ | Non-prefixed global variable | ||
| #1642 | Big File Uploads – Increase Maximum File Upload Size | 31 | 101 | 92 | 100k+ | Output is not escaped | ||
| #1643 | Ultimate Posts Widget | 31 | 309 | 86 | 10k+ | Output is not escaped | ||
| #1644 | User Spam Remover | 31 | 115 | 14 | 1k+ | Output is not escaped | ||
| #1645 | Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification | 31 | 284 | 830 | 2k+ | Missing nonce verification | ||
| #1646 | Web Push Notifications – Webpushr | 31 | 169 | 293 | 10k+ | Output is not escaped | ||
| #1647 | Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | 31 | 837 | 295 | 100k+ | Unsafe printing function | ||
| #1648 | WooCommerce Legacy REST API | 31 | 324 | 177 | 400k+ | Missing Translators Comment | ||
| #1649 | Tooltips for WordPress | 31 | 312 | 252 | 5k+ | Output is not escaped | ||
| #1650 | Worldline Global Online Pay for WooCommerce | 31 | 160 | 86 | 500 | Missing direct file access protection |