WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #151 | Gutenberg | 22 | 628 | 342 | 300k+ | Missing direct file access protection | ||
| #152 | Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms | 22 | 1,037 | 722 | 20k+ | Unsafe printing function | ||
| #153 | HeadSpace2 SEO | 22 | 940 | 360 | 3k+ | Text Domain Mismatch | ||
| #154 | Csomagpontok és Címkék WooCommerce-hez | 22 | 2,001 | 769 | 7k+ | Text Domain Mismatch | ||
| #155 | IMPress for IDX Broker | 22 | 1,085 | 636 | 7k+ | Text Domain Mismatch | ||
| #156 | Insert or Embed Articulate Content into WordPress | 22 | 659 | 1,437 | 2k+ | Non-prefixed global variable | ||
| #157 | Számlázz.hu integráció WooCommerce-hez | 22 | 1,169 | 460 | 7k+ | Text Domain Mismatch | ||
| #158 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | Exception output is not escaped | ||
| #159 | Import WP – Export and Import CSV and XML files to WordPress | 22 | 580 | 330 | 4k+ | Exception output is not escaped | ||
| #160 | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | 22 | 2,361 | 3,384 | 70k+ | Non-prefixed global variable | ||
| #161 | Leyka | 22 | 253 | 3,445 | 2k+ | Request data is not unslashed | ||
| #162 | Custom Login Page Customizer – Login Designer | 22 | 588 | 1,455 | 30k+ | Non-prefixed global variable | ||
| #163 | MailOptin – Popup, Optin Forms & Email Newsletters for Mailchimp, HubSpot, AWeber Etc. | 22 | 2,619 | 2,453 | 10k+ | Output is not escaped | ||
| #164 | Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider | 22 | 207 | 323 | 500k+ | Non-prefixed global variable | ||
| #165 | Modula Image Gallery – Photo Grid & Video Gallery | 22 | 474 | 436 | 100k+ | Text Domain Mismatch | ||
| #166 | Molongui Authorship – Author Boxes, Guest Authors & Co-Authors for WordPress | 22 | 919 | 1,230 | 10k+ | Output is not escaped | ||
| #167 | Moloni | 22 | 902 | 356 | 2k+ | Missing Arg Domain | ||
| #168 | Motors – Car Dealership & Classified Listings Plugin | 22 | 5,340 | 5,958 | 9k+ | Text Domain Mismatch | ||
| #169 | Newsletters | 22 | 2,968 | 2,248 | 2k+ | Text Domain Mismatch | ||
| #170 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,265 | 2,065 | 100k+ | Non-prefixed global variable | ||
| #171 | NinjaScanner – Virus & Malware scan | 22 | 596 | 551 | 30k+ | Non-prefixed global variable | ||
| #172 | WP OAuth Server (OAuth Authentication) | 22 | 189 | 347 | 3k+ | Non-prefixed function | ||
| #173 | oik | 22 | 489 | 180 | 2k+ | Non Singular String Literal Domain | ||
| #174 | PagBank / PagSeguro Connect para WooCommerce | 22 | 504 | 743 | 4k+ | Non-prefixed global variable | ||
| #175 | PAYCOMET for WooCommerce | 22 | 1,206 | 423 | 2k+ | Text Domain Mismatch | ||
| #176 | Smart Popup by Supsystic | 22 | 3,172 | 503 | 10k+ | Non Singular String Literal Domain | ||
| #177 | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | 22 | 1,581 | 2,326 | 300k+ | Non-prefixed global variable | ||
| #178 | Prime Mover – Migrate WordPress Website & Backups | 22 | 1,326 | 1,600 | 10k+ | Non-prefixed global variable | ||
| #179 | Product Catalog Feed by PixelYourSite | 22 | 581 | 357 | 8k+ | Output is not escaped | ||
| #180 | Pronamic Pay | 22 | 258 | 1,077 | 3k+ | Non-prefixed global variable | ||
| #181 | PageSpeed Ninja – Cache, Minify, Defer CSS JavaScript, Critical CSS, Optimize Images, Convert WebP | 22 | 984 | 407 | 5k+ | Unsafe printing function | ||
| #182 | Quick Contact Form | 22 | 260 | 623 | 1k+ | Non-prefixed function | ||
| #183 | RabbitLoader Cache: Optimize your Website for Speed | 22 | 241 | 163 | 2k+ | Output is not escaped | ||
| #184 | Restrict User Access – Ultimate Membership & Content Protection | 22 | 977 | 1,840 | 10k+ | Non-prefixed global variable | ||
| #185 | Salon Booking System – Free Version | 22 | 650 | 619 | 3k+ | Missing direct file access protection | ||
| #186 | Social Sharing Plugin – Sassy Social Share | 22 | 1,689 | 233 | 100k+ | wp function not compatible with requires wp | ||
| #187 | Seraphinite Accelerator | 22 | 594 | 255 | 50k+ | Output is not escaped | ||
| #188 | ShortPixel Image Optimizer – Optimize Images, Convert WebP & AVIF | 22 | 1,044 | 799 | 300k+ | Non-prefixed global variable | ||
| #189 | Simple Job Board | 22 | 634 | 1,355 | 10k+ | Non-prefixed global variable | ||
| #190 | Slick Popup: Contact Form 7 Popup Plugin | 22 | 2,322 | 316 | 2k+ | Text Domain Mismatch | ||
| #191 | Slim Jetpack | 22 | 2,586 | 1,947 | 2k+ | Text Domain Mismatch | ||
| #192 | SNS Count Cache | 22 | 918 | 120 | 8k+ | Non Singular String Literal Domain | ||
| #193 | NextScripts: Social Networks Auto-Poster | 22 | 2,408 | 1,133 | 30k+ | Output is not escaped | ||
| #194 | SportsPress – Sports Club & League Manager | 22 | 460 | 2,242 | 10k+ | Non-prefixed global variable | ||
| #195 | SSL Zen — SSL Certificate Installer & HTTPS Redirects | 22 | 779 | 1,575 | 10k+ | Non-prefixed global variable | ||
| #196 | Stylish Price List – Price Table Builder & QR Code Restaurant Menu | 22 | 674 | 678 | 3k+ | Output is not escaped | ||
| #197 | SVG Flags – Beautiful Scalable Flags For All Countries! | 22 | 755 | 1,251 | 2k+ | Non-prefixed global variable | ||
| #198 | Swift Performance Lite | 22 | 2,346 | 1,325 | 7k+ | Text Domain Mismatch | ||
| #199 | Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent | 22 | 225 | 519 | 8k+ | error log error log | ||
| #200 | 10Web Booster – Website speed optimization, Cache & Page Speed optimizer | 22 | 513 | 601 | 80k+ | Non-prefixed global variable |
