WordPress.Security.ValidatedSanitizedInput.MissingUnslash

Request data is not unslashed

Input from a WordPress request superglobal is used before removing WordPress-added slashes.

critical weight

Why It Shows Up

WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.

Why It Matters

Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.

How to Fix

  • Read the specific request key, then call `wp_unslash()` on it.
  • Sanitize the unslashed value with a function that matches the expected data type.
  • Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.

Affected Plugins

RankPluginScoreErrorsWarningsInstallsAddedUpdatedTop Issue
#2001Image Cleanup3452941k+Nonce verification recommended
#2002Import XML and RSS Feeds34260852k+Unsafe printing function
#2003Inavii Social Feed – Live Social Proof Gallery345321809k+Text Domain Mismatch
#2004IndieAuth3436109400Input is not sanitized
#2005IP2Location Country Blocker342958830k+Output is not escaped
#2006Kadence WooCommerce Email Designer34119230100k+Non-prefixed global variable
#2007Lenix Leads Collector3441424210k+Text Domain Mismatch
#2008Login with Vipps and MobilePay34263174900Output is not escaped
#2009MailChimp Forms by MailMunch341169410k+Output is not escaped
#2010Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin34364593k+Input is not sanitized
#2011MantraBrain Starter Sites | MantraBrain Theme Demo Importer34117611k+Output is not escaped
#2012Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, …347796500Output is not escaped
#2013Media Vault34115150800Output is not escaped
#2014Melhor Envio342427610k+Nonce verification recommended
#2015Meow Analytics (Google Analytics)348054400Output is not escaped
#2016Meow Lightbox34775210k+Non Singular String Literal Domain
#2017Meta Tag Manager3414232180k+Nonce verification recommended
#2018OTP Login & Register Woocommerce341482021k+Missing nonce verification
#2019Montonio for WooCommerce344425710k+Non-prefixed global variable
#2020MPL-Publisher — Ebook & Audiobook Creator3448976800Text Domain Mismatch
#2021Multi Step Form342771369k+Output is not escaped
#2022My Tickets – Accessible Event Ticketing34314566700Nonce verification recommended
#2023NextGEN Gallery Optimizer34128922k+Output is not escaped
#2024Ni WooCommerce Custom Order Status342561392k+Text Domain Mismatch
#2025One User Avatar | User Profile Picture3468190100k+Non-prefixed global variable
#2026Optima Express IDX347123710k+Non-prefixed class
#2027Child Theme Creator by Orbisius34863910k+Output is not escaped
#2028Team Members Profile – Employee Directory & Staff Showcase3433990600Output is not escaped
#2029OwnerRez347956700Unsafe printing function
#2030MW Font Changer34463757k+Text Domain Mismatch
#2031Payoneer Checkout34168415k+Exception output is not escaped
#2032PDF Invoices and Packing Slips For WooCommerce341082841k+Non-prefixed global variable
#2033المنتور فارسی34525040k+curl curl setopt
#2034PhonePe Payment Solutions347710610k+Missing direct file access protection
#2035Podigee WordPress Quick Publish – now with Gutenberg support!3410895700Text Domain Mismatch
#2036Progress Bar & Skill Bar341751791k+Non Singular String Literal Domain
#2037PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget34462989k+Missing nonce verification
#2038PW WooCommerce Bulk Edit3421914920k+Unsafe printing function
#2039QuadLayers Telegram Button34149711k+Text Domain Mismatch
#2040Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers3426186320k+Non-prefixed global variable
#2041RaraTheme Companion344307110k+Output is not escaped
#2042Redirection34322942m+Non-prefixed class
#2043Event Timeline – Vertical Timeline34266841k+Non-prefixed global variable
#2044RTMKit341038050k+Non-prefixed global variable
#2045RTMForm Builder3418820930k+Text Domain Mismatch
#2046Route ‑ Shipping Protection3466150500Missing nonce verification
#2047Saphali Woocommerce Lite3437631310k+Non-prefixed global variable
#2048Search Engine Insights for Google Search Console341741132k+Output is not escaped
#2049Search Meter341919420k+Output is not escaped
#2050Security Safe34193164700Missing Translators Comment