WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1651 | WP ULike – Like & Dislike Buttons for Engagement and Feedback | 31 | 269 | 358 | 60k+ | Output is not escaped | ||
| #1652 | WP125 | 31 | 178 | 184 | 3k+ | Unsafe printing function | ||
| #1653 | Hosting Benchmark tool | 31 | 202 | 115 | 4k+ | rand rand | ||
| #1654 | One to one user Chat by WPGuppy | 31 | 74 | 187 | 700 | Non-prefixed global variable | ||
| #1655 | WPDoctor Malware Scanner & Vulnerability Checker & IP blocker with Hack monitor Lite | 31 | 133 | 438 | 600 | Non-prefixed global variable | ||
| #1656 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 31 | 483 | 217 | 2k+ | Unsafe printing function | ||
| #1657 | Dynamic XML Sitemaps Generator for Google | 31 | 75 | 411 | 20k+ | Non-prefixed global variable | ||
| #1658 | YAHMAN Add-ons | 31 | 468 | 141 | 1k+ | Output is not escaped | ||
| #1659 | Zendesk Support for WordPress | 31 | 195 | 88 | 2k+ | Output is not escaped | ||
| #1660 | ACME Divi Modules | 32 | 573 | 35 | 400 | Text Domain Mismatch | ||
| #1661 | ActiveDEMAND | 32 | 157 | 161 | 1k+ | Output is not escaped | ||
| #1662 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | Non-prefixed global variable | ||
| #1663 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #1664 | Affiliate Coupons – Coupon Display Manager – Excellent Tool for Affiliate Marketers | 32 | 183 | 61 | 1k+ | Output is not escaped | ||
| #1665 | AI Alt Text Generator | 32 | 76 | 24 | 1k+ | Missing Translators Comment | ||
| #1666 | All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier | 32 | 325 | 102 | 600 | Missing Arg Domain | ||
| #1667 | annasta Filters for WooCommerce | 32 | 1,073 | 441 | 2k+ | Text Domain Mismatch | ||
| #1668 | Aqua Page Builder | 32 | 320 | 114 | 3k+ | Output is not escaped | ||
| #1669 | aThemes Blocks | 32 | 192 | 1,034 | 6k+ | Non-prefixed global variable | ||
| #1670 | Author Avatars List/Block | 32 | 85 | 135 | 4k+ | Non-prefixed hook name | ||
| #1671 | Auto YouTube Importer | 32 | 338 | 173 | 1k+ | Text Domain Mismatch | ||
| #1672 | Speed Kit | 32 | 296 | 73 | 2k+ | Output is not escaped | ||
| #1673 | Better Chat Support for Messenger | 32 | 73 | 103 | 1k+ | Interpolated SQL is not prepared | ||
| #1674 | Better Robots.txt – AI-Ready Crawl Control & Bot Governance | 32 | 55 | 83 | 5k+ | error log error log | ||
| #1675 | Bosa Elementor Addons and Templates for WooCommerce | 32 | 40 | 165 | 20k+ | slow db query tax query | ||
| #1676 | BP Classic | 32 | 664 | 216 | 6k+ | Unsafe printing function | ||
| #1677 | BuddyPress for LearnDash | 32 | 190 | 284 | 1k+ | Output is not escaped | ||
| #1678 | Quantity Discounts, Breaks & Product Bundles for Woocommerce By Bundler | 32 | 147 | 319 | 400 | Direct Query | ||
| #1679 | Child Theme Configurator | 32 | 442 | 267 | 300k+ | Unsafe printing function | ||
| #1680 | Code Manager | 32 | 217 | 261 | 500 | Nonce verification recommended | ||
| #1681 | Vimeotheque – Vimeo WordPress Plugin & Video Gallery | 32 | 642 | 264 | 2k+ | Unsafe printing function | ||
| #1682 | Color and Image Swatches for Variable Product Attributes | 32 | 173 | 111 | 1k+ | Output is not escaped | ||
| #1683 | Ultimate WooCommerce Filters | 32 | 322 | 207 | 600 | Unsafe printing function | ||
| #1684 | Contact Form Builder by vcita | 32 | 666 | 174 | 700 | Text Domain Mismatch | ||
| #1685 | Cooked – Recipe Management | 32 | 462 | 275 | 3k+ | Output is not escaped | ||
| #1686 | Compliance by Hu-manity.co | 32 | 153 | 334 | 900k+ | Missing nonce verification | ||
| #1687 | CSV Import and Exporter | 32 | 83 | 138 | 1k+ | Non-prefixed global variable | ||
| #1688 | Currency Switcher for WooCommerce | 32 | 357 | 263 | 10k+ | Text Domain Mismatch | ||
| #1689 | DHL eCommerce (Benelux) for WooCommerce | 32 | 222 | 330 | 2k+ | Nonce verification recommended | ||
| #1690 | Download Attachments | 32 | 69 | 188 | 8k+ | Non-prefixed hook name | ||
| #1691 | Enter Addons – Ultimate Template Builder for Elementor | 32 | 82 | 72 | 1k+ | Output is not escaped | ||
| #1692 | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | 32 | 560 | 198 | 5k+ | Text Domain Mismatch | ||
| #1693 | Fable Extra | 32 | 79 | 282 | 4k+ | Non-prefixed global variable | ||
| #1694 | AC's Loan Calculator | 32 | 246 | 187 | 400 | Unsafe printing function | ||
| #1695 | FA Lite – WP responsive slider plugin | 32 | 726 | 140 | 500 | Unsafe printing function | ||
| #1696 | Freesoul Deactivate Plugins – Disable plugins on individual WordPress pages | 32 | 53 | 776 | 8k+ | Nonce verification recommended | ||
| #1697 | WP Gravity Forms HubSpot | 32 | 771 | 160 | 600 | Text Domain Mismatch | ||
| #1698 | CRM Perks Integration for Gravity Forms and Salesforce | 32 | 807 | 178 | 1k+ | Text Domain Mismatch | ||
| #1699 | WP Gravity Forms Zoho CRM and Bigin | 32 | 750 | 174 | 400 | Text Domain Mismatch | ||
| #1700 | GlotPress | 32 | 403 | 103 | 500 | Unsafe printing function |