WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#1951SMS Abandoned Cart Recovery ✦ CartBoss346772400SQL query is not prepared
#1952Checkout Field Editor for WooCommerce – Checkout Manager341226520k+Text Domain Mismatch
#1953Clean Testimonials3412787400Output is not escaped
#1954CM Search And Replace – Optimize content edits with a powerful search and replace tool342861112k+Output is not escaped
#1955Contact Form 7 – PayPal & Stripe Add-on34932337k+Exception output is not escaped
#1956Cornerstone3416117430k+Nonce verification recommended
#1957CSS JS Manager, Async JavaScript, Defer Render Blocking CSS34761061k+Input is not validated
#1958Custom Login Page by SeedProd34330125500Output is not escaped
#1959Custom Post Type Attachment3415349800wp function not compatible with requires wp
#1960Custom Sidebars – Dynamic Sidebar Classic Widget Area Manager3432307100k+Non-prefixed global variable
#1961DD Last Viewed34193132500Output is not escaped
#1962Debug Log Manager Tool34441433k+Nonce verification recommended
#1963Document Library Lite34149854k+Text Domain Mismatch
#1964Download After Email – Subscribe & Download Form Plugin34223567k+Input is not validated
#1965Dr. Flex3483511k+Output is not escaped
#1966Delisho – Recipe Widgets and Blocks34603551k+Input is not sanitized
#1967Easy Social Sharing34162401k+Non-prefixed global variable
#1968EasyIndex34741351k+Missing nonce verification
#1969Edit Flow341032274k+Non-prefixed hook name
#1970Einsatzverwaltung341521281k+Output is not escaped
#1971ECS – Ele Custom Skin for Elementor3499205100k+Text Domain Mismatch
#1972Empik for Woocommerce3470259400Missing nonce verification
#1973Enhanced Text Widget341015830k+Output is not escaped
#1974ePayco Plugin for WooCommerce341551363k+Text Domain Mismatch
#1975Essential Classy Addons for Elementor – 150+ Widgets, Templates & Performance Tools34278186500Output is not escaped
#1976Estimated Delivery for WooCommerce34301701k+Short PHP open tag found
#1977Event Calendar Newsletter3496167600Non-prefixed hook name
#1978Event Post34329991k+Output is not escaped
#1979Export Customers Data3410949500Text Domain Mismatch
#1980Social LikeBox & Feed3439314110k+Non Singular String Literal Domain
#1981Profile Box Shortcode And Widget344881381k+Output is not escaped
#1982Fancy Comments WordPress34359392k+Unsafe printing function
#1983Featured Video Plus349910510k+Non-prefixed global variable
#1984Flash Toolkit3415924210k+Non-prefixed global variable
#1985Weight Based Shipping Table Rate for WooCommerce – Flexible Shipping34124156100k+Nonce verification recommended
#1986Floating Side Tab3494153600Non-prefixed global variable
#1987FluentAuth – The Ultimate Authorization & Security Plugin for WordPress344422910k+Nonce verification recommended
#1988Forms: 3rd-Party Integration342341125k+Output is not escaped
#1989FV Gravatar Cache345042700Output is not escaped
#1990Garden Gnome Package34116514k+Text Domain Mismatch
#1991Geolocation IP Detection3422716720k+Output is not escaped
#1992Gitium3414957400Output is not escaped
#1993APG Google Video Sitemap Feed349645800Output is not escaped
#1994Gratisfaction- Loyalty, Rewards , Referral, Birthday and Giveaway Program34131352600Missing nonce verification
#1995Signature Add-On for Gravity Forms34161481k+Text Domain Mismatch
#1996Greenshift – animation and page builder blocks343327270k+Non-prefixed global variable
#1997Hide Price Until Login341871152k+Non Singular String Literal Domain
#1998Hitsteps Web Analytics34370313800Output is not escaped
#1999HollerBox — Fast & Effective Popups & Lead-Generation3478922k+Output is not escaped
#2000SSL Mixed Content Fix3453658k+Output is not escaped