WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1601Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity311221312k+Output is not escaped
#1602LWS Tools3110413410k+Request data is not unslashed
#1603Mailgun for WordPress311447880k+Unsafe printing function
#1604MainWP Dashboard: Self-hosted WordPress Management for Agencies319531720k+Interpolated SQL is not prepared
#1605Melapress Login Security31692782k+Non-prefixed global variable
#1606Openpay Cards Plugin311661053k+Text Domain Mismatch
#1607Openpay Stores Plugin31121751k+Non-prefixed global variable
#1608PanoPress311112342k+Output is not escaped
#1609Patreon WordPress312763393k+Output is not escaped
#1610PayKeeper Payment Gateway for WooCommerce3111344400Non Singular String Literal Domain
#1611افزونه پیامک ووکامرس Persian WooCommerce SMS317226940k+Nonce verification recommended
#1612Podamibe Simple Footer Widget Area31596572k+wp function not compatible with requires wp
#1613Pop-up311039110k+Output is not escaped
#1614Portfolio, Gallery, Product Catalog – Grid KIT Portfolio31613296k+Non-prefixed global variable
#1615Post Pay Counter316392381k+Output is not escaped
#1616Product Configurator for WooCommerce31415573k+Non-prefixed hook name
#1617Active Products Tables for WooCommerce. Use constructor to create tables313644241k+Output is not escaped
#1618Qi Blocks314634560k+Non-prefixed global variable
#1619Qode Essential Addons315529510k+Non-prefixed global variable
#1620Query Monitor3144273200k+Non-prefixed class
#1621Raffle Play Woocommerce31151199800Output is not escaped
#1622Re:amaze Helpdesk & Live Chat3196115400Output is not escaped
#1623reCAPTCHA in WP comments form31264608k+Output is not escaped
#1624Accordion FAQ – Compatible With All Page Builder (Elementor, Gutenberg)3146020130k+Non Singular String Literal Domain
#1625Coming Soon Page & Maintenance Mode316132663k+Text Domain Mismatch
#1626Rank Math SEO – AI SEO Tools to Dominate SEO Rankings31453734m+Non-prefixed global variable
#1627Social Share Buttons314621561k+Text Domain Mismatch
#1628Sidebar Manager Light31221761k+Text Domain Mismatch
#1629Simple calendar for Elementor31125270500Direct Query
#1630Page Builder by SiteOrigin31226214400k+Output is not escaped
#1631Slider Carousel – Image Slider312241,2333k+Request data is not unslashed
#1632Smart Keywords Tool – 智能关键词插件3136133600Non Singular String Literal Domain
#1633SmartBill Facturare si Gestiune314211645k+Text Domain Mismatch
#1634SpeedyCache – Cache, Optimization, Performance3165118600k+Input is not validated
#1635Staatic – Static Site Generator for WordPress314201952k+SQL query is not prepared
#1636Stackable – Page Builder Gutenberg Blocks3147790100k+Non Singular String Literal Domain
#1637Swatchly – Product Variation Swatches for WooCommerce315402145k+Output is not escaped
#1638Team Builder – Team Member Showcase With Grid and slider, Compatible With Elementor, Gutenberg314592827k+Non Singular String Literal Domain
#1639WP Testimonials3118345510k+Non-prefixed global variable
#1640Themify Store Locator31244125500Text Domain Mismatch
#1641Tutor LMS Elementor Addons3122745730k+Non-prefixed global variable
#1642Big File Uploads – Increase Maximum File Upload Size3110192100k+Output is not escaped
#1643Ultimate Posts Widget313098610k+Output is not escaped
#1644User Spam Remover31115141k+Output is not escaped
#1645Blacklist Manager – WooCommerce Anti-Fraud, Blacklist & Checkout Verification312848302k+Missing nonce verification
#1646Web Push Notifications – Webpushr3116929310k+Output is not escaped
#1647Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets31837295100k+Unsafe printing function
#1648WooCommerce Legacy REST API31324177400k+Missing Translators Comment
#1649Tooltips for WordPress313122525k+Output is not escaped
#1650Worldline Global Online Pay for WooCommerce3116086500Missing direct file access protection