WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1801 | Nexi XPay | 33 | 496 | 277 | 6k+ | Text Domain Mismatch | ||
| #1802 | CartPops – High Converting Add To Cart Popup For WooCommerce | 33 | 63 | 188 | 4k+ | Non-prefixed global variable | ||
| #1803 | Century ToolKit | 33 | 118 | 78 | 700 | Output is not escaped | ||
| #1804 | Chartify – WordPress Chart Plugin | 33 | 76 | 411 | 3k+ | Non-prefixed global variable | ||
| #1805 | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form | 33 | 57 | 204 | 1k+ | Non-prefixed global variable | ||
| #1806 | Civic Cookie Control | 33 | 1,881 | 219 | 2k+ | Text Domain Mismatch | ||
| #1807 | Clicky Analytics | 33 | 166 | 92 | 10k+ | Output is not escaped | ||
| #1808 | Companion Auto Update | 33 | 159 | 298 | 40k+ | Direct Query | ||
| #1809 | Companion Sitemap Generator – Simple, Smart, and SEO-Ready | 33 | 118 | 57 | 7k+ | Missing Translators Comment | ||
| #1810 | Conekta Payment Gateway | 33 | 240 | 61 | 2k+ | Text Domain Mismatch | ||
| #1811 | Contact Form Plugin | 33 | 47 | 220 | 2k+ | Non-prefixed function | ||
| #1812 | Contact List – Online Staff Directory & Address Book | 33 | 118 | 342 | 1k+ | Nonce verification recommended | ||
| #1813 | Chatbot with IBM watsonx Assistant | 33 | 324 | 83 | 400 | Non Singular String Literal Domain | ||
| #1814 | Chwazi – Delivery & Pickup Scheduling for WooCommerce | 33 | 563 | 192 | 600 | Text Domain Mismatch | ||
| #1815 | Device Detector | 33 | 209 | 112 | 600 | Output is not escaped | ||
| #1816 | DJ-Accessibility – Accessibility Plugin | 33 | 370 | 48 | 3k+ | Text Domain Mismatch | ||
| #1817 | Login & Register Forms – Popup | Slider | Inline | WooCommerce | 33 | 177 | 477 | 40k+ | Non-prefixed global variable | ||
| #1818 | Easy Timer | 33 | 78 | 450 | 1k+ | Non-prefixed global variable | ||
| #1819 | Easy Upload Files During Checkout | 33 | 218 | 199 | 500 | Unsafe printing function | ||
| #1820 | EchBay Phonering Alo | 33 | 74 | 47 | 1k+ | Output is not escaped | ||
| #1821 | Human Presence – Stop Form Spam Without ReCaptcha | 33 | 54 | 65 | 1k+ | Request data is not unslashed | ||
| #1822 | Fastly | 33 | 221 | 66 | 1k+ | Text Domain Mismatch | ||
| #1823 | FastPixel Cache – Optimize Page Speed: Compress Images, Minify, Clean Database & CDN | 33 | 51 | 333 | 4k+ | Request data is not unslashed | ||
| #1824 | Gallery Custom Links | 33 | 64 | 62 | 30k+ | Non Singular String Literal Domain | ||
| #1825 | GDPR Cookie Compliance – Cookie Banner, Cookie Consent, Cookie Notice for CCPA, EU Cookie Law | 33 | 48 | 370 | 300k+ | Non-prefixed global variable | ||
| #1826 | GetResponse Forms by Optin Cat | 33 | 68 | 138 | 1k+ | Missing direct file access protection | ||
| #1827 | Five Star Restaurant Reviews | 33 | 242 | 142 | 400 | Output is not escaped | ||
| #1828 | Comments – GraphComment | AI-Moderated Comment System | 33 | 191 | 177 | 400 | Unsafe printing function | ||
| #1829 | Gravity Forms Eway | 33 | 519 | 45 | 500 | Missing Translators Comment | ||
| #1830 | GSheetConnector for Forminator Forms | 33 | 128 | 201 | 1k+ | Non-prefixed global variable | ||
| #1831 | Ultimate Addons for Elementor | 33 | 81 | 291 | 2m+ | Non-prefixed class | ||
| #1832 | Mentions légales [FR] | 33 | 238 | 48 | 2k+ | Text Domain Mismatch | ||
| #1833 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce | 33 | 377 | 139 | 20k+ | Unsafe printing function | ||
| #1834 | Flipbox – Awesomes Flip Boxes Image Overlay | 33 | 400 | 7,279 | 10k+ | Input is not validated | ||
| #1835 | Image Source Control Lite – Show Image Credits and Captions | 33 | 140 | 221 | 3k+ | Non-prefixed hook name | ||
| #1836 | ImageLinks – Interactive Image Builder with Hotspots | 33 | 517 | 90 | 1k+ | Text Domain Mismatch | ||
| #1837 | Inactive User Deleter | 33 | 453 | 170 | 800 | Output is not escaped | ||
| #1838 | InPost Gallery | 33 | 105 | 245 | 700 | Non-prefixed global variable | ||
| #1839 | WPZOOM Social Feed Widget & Block | 33 | 310 | 278 | 60k+ | Unsafe printing function | ||
| #1840 | Intagrate Lite | 33 | 94 | 152 | 4k+ | date date | ||
| #1841 | IP2Location Redirection | 33 | 198 | 122 | 7k+ | Output is not escaped | ||
| #1842 | IssueM | 33 | 56 | 173 | 600 | Request data is not unslashed | ||
| #1843 | ITRO Popup Plugin | 33 | 591 | 135 | 6k+ | Output is not escaped | ||
| #1844 | Janolaw AGB Hosting | 33 | 198 | 11 | 1k+ | Short PHP open tag found | ||
| #1845 | JetWidgets for Elementor and WooCommerce | 33 | 187 | 146 | 7k+ | Text Domain Mismatch | ||
| #1846 | jQuery Manager for WordPress | 33 | 86 | 24 | 7k+ | Output is not escaped | ||
| #1847 | Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid | 33 | 274 | 106 | 3k+ | Text Domain Mismatch | ||
| #1848 | LWSCache | 33 | 47 | 104 | 6k+ | Non-prefixed global variable | ||
| #1849 | Forms for Mailchimp by Optin Cat – Grow Your MailChimp List | 33 | 71 | 133 | 2k+ | Missing direct file access protection | ||
| #1850 | MailUp for WordPress – Email and Newsletter Subscription Form | 33 | 251 | 100 | 2k+ | Text Domain Mismatch |