WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1901Variation Swatches for WooCommerce3346911650k+Text Domain Mismatch
#1902Multi-Carrier EasyPost Shipping Methods & Address Validation for WooCommerce3342469400Non Singular String Literal Domain
#1903Multi-Carrier Shippo Shipping Rates & Address Validation for WooCommerce33411733k+Non Singular String Literal Domain
#1904Webmention336489900Output is not escaped
#1905Website Monetization by MageNet33608720k+Output is not escaped
#1906Textmetrics33324163400Output is not escaped
#1907White Label CMS33409207200k+Unsafe printing function
#1908Rich Showcase for Google Reviews33213278100k+Output is not escaped
#1909Wonder Slider Lite332731878k+Output is not escaped
#1910Product Addons for Woocommerce – Product Options with Custom Fields3312411430k+Output is not escaped
#1911Hyyan WooCommerce Polylang Integration331412208k+Nonce verification recommended
#1912CartBounty – Save and recover abandoned carts for WooCommerce3337039910k+Output is not escaped
#1913Pay. Payment Methods for WooCommerce333161043k+Non Singular String Literal Domain
#1914PDF Invoices Italian Add-on for WooCommerce333252005k+Non Singular String Literal Domain
#1915WOW Slider331761013k+Output is not escaped
#1916Books Gallery – Book Showcase, Library & Affiliate Plugin331,7531782k+Output is not escaped
#1917WP Edit3333713740k+Unsafe printing function
#1918WP EXtra – One Click Optimize334141017k+Missing Arg Domain
#1919WP Social AutoConnect33290144500Output is not escaped
#1920Connector for Gravity Forms and Google Sheets336921553k+Text Domain Mismatch
#1921EasyMedia – Increase Media Upload File Size | Role-Based Upload Limit | Increase Execution Time338213870k+Non-prefixed global variable
#1922WebToffee WP Backup and Migration331322225k+Non-prefixed global variable
#1923WP Multilang – Translation and Multilingual Plugin335311810k+Database parameter is not escaped
#1924Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management335383k+Direct Query
#1925WP-UserOnline3311116110k+Output is not escaped
#1926Editor Blocks by Download Manager331741026k+Output is not escaped
#1927WPReplace内容字符替换插件33209195800Non Singular String Literal Domain
#1928XML Sitemaps3365622k+Output is not escaped
#1929Video Gallery – YouTube Playlist, Channel Gallery by YotuWP3327810120k+Missing Arg Domain
#1930Zita Site Library for Elementor331071351k+Text Domain Mismatch
#1931AFS Analytics3419498600Text Domain Mismatch
#1932Advanced Custom Fields: reCAPTCHA Field3410453800Text Domain Mismatch
#1933Advanced Shipping Validation for WooCommerce34331127400Text Domain Mismatch
#1934AGCA – Custom Dashboard & Login Page343504420k+Unsafe printing function
#1935All In One Favicon342146260k+Output is not escaped
#1936All-in-One WP Migration and Backup3447695m+Missing nonce verification
#1937Arconix Shortcodes341291084k+Output is not escaped
#1938Assistant – Every Day Productivity Apps34124974k+Exception output is not escaped
#1939Audit Trail349010710k+Unsafe printing function
#1940AyeCode Connect3417825310k+Nonce verification recommended
#1941Bayarcash WooCommerce34148138700Non Singular String Literal Domain
#1942Beeketing for WooCommerce – Marketing Automation to Boost Sales34113123600SQL query is not prepared
#1943Blog-in-Blog346493800Non-prefixed function
#1944BoldGrid Easy SEO – Simple and Effective SEO3414910440k+Text Domain Mismatch
#1945Buckets346876500Output is not escaped
#1946BuddyPress & BuddyBoss Member Profile Forms34154121400Text Domain Mismatch
#1947Cache Master3437127400Output is not escaped
#1948Campi Moduli Italiani3472363500Unquoted Complex Placeholder
#1949SMS Abandoned Cart Recovery ✦ CartBoss346772400SQL query is not prepared
#1950Checkout Field Editor for WooCommerce – Checkout Manager341226420k+Text Domain Mismatch