WordPress.Security.ValidatedSanitizedInput.MissingUnslash
Request data is not unslashed
Input from a WordPress request superglobal is used before removing WordPress-added slashes.
Why It Shows Up
WordPress adds slashes to request data for historical compatibility. The scan found `$_GET`, `$_POST`, `$_REQUEST`, or similar input used without `wp_unslash()`.
Why It Matters
Sanitizing slashed data can produce incorrect values, failed comparisons, broken validation, or stored data that does not match what the user submitted.
How to Fix
- Read the specific request key, then call `wp_unslash()` on it.
- Sanitize the unslashed value with a function that matches the expected data type.
- Validate the sanitized value before using it in permissions, queries, redirects, or stored settings.
Affected Plugins
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #2001 | Image Cleanup | 34 | 52 | 94 | 1k+ | Nonce verification recommended | ||
| #2002 | Import XML and RSS Feeds | 34 | 260 | 85 | 2k+ | Unsafe printing function | ||
| #2003 | Inavii Social Feed – Live Social Proof Gallery | 34 | 532 | 180 | 9k+ | Text Domain Mismatch | ||
| #2004 | IndieAuth | 34 | 36 | 109 | 400 | Input is not sanitized | ||
| #2005 | IP2Location Country Blocker | 34 | 295 | 88 | 30k+ | Output is not escaped | ||
| #2006 | Kadence WooCommerce Email Designer | 34 | 119 | 230 | 100k+ | Non-prefixed global variable | ||
| #2007 | Lenix Leads Collector | 34 | 414 | 242 | 10k+ | Text Domain Mismatch | ||
| #2008 | Login with Vipps and MobilePay | 34 | 263 | 174 | 900 | Output is not escaped | ||
| #2009 | MailChimp Forms by MailMunch | 34 | 116 | 94 | 10k+ | Output is not escaped | ||
| #2010 | Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin | 34 | 36 | 459 | 3k+ | Input is not sanitized | ||
| #2011 | MantraBrain Starter Sites | MantraBrain Theme Demo Importer | 34 | 117 | 61 | 1k+ | Output is not escaped | ||
| #2012 | Mass Ping Tool for SEO – WordPress ping list to get indexed faster on Google, Yandex, … | 34 | 77 | 96 | 500 | Output is not escaped | ||
| #2013 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #2014 | Melhor Envio | 34 | 24 | 276 | 10k+ | Nonce verification recommended | ||
| #2015 | Meow Analytics (Google Analytics) | 34 | 80 | 54 | 400 | Output is not escaped | ||
| #2016 | Meow Lightbox | 34 | 77 | 52 | 10k+ | Non Singular String Literal Domain | ||
| #2017 | Meta Tag Manager | 34 | 142 | 321 | 80k+ | Nonce verification recommended | ||
| #2018 | OTP Login & Register Woocommerce | 34 | 148 | 202 | 1k+ | Missing nonce verification | ||
| #2019 | Montonio for WooCommerce | 34 | 44 | 257 | 10k+ | Non-prefixed global variable | ||
| #2020 | MPL-Publisher — Ebook & Audiobook Creator | 34 | 489 | 76 | 800 | Text Domain Mismatch | ||
| #2021 | Multi Step Form | 34 | 277 | 136 | 9k+ | Output is not escaped | ||
| #2022 | My Tickets – Accessible Event Ticketing | 34 | 314 | 566 | 700 | Nonce verification recommended | ||
| #2023 | NextGEN Gallery Optimizer | 34 | 128 | 92 | 2k+ | Output is not escaped | ||
| #2024 | Ni WooCommerce Custom Order Status | 34 | 256 | 139 | 2k+ | Text Domain Mismatch | ||
| #2025 | One User Avatar | User Profile Picture | 34 | 68 | 190 | 100k+ | Non-prefixed global variable | ||
| #2026 | Optima Express IDX | 34 | 71 | 237 | 10k+ | Non-prefixed class | ||
| #2027 | Child Theme Creator by Orbisius | 34 | 86 | 39 | 10k+ | Output is not escaped | ||
| #2028 | Team Members Profile – Employee Directory & Staff Showcase | 34 | 339 | 90 | 600 | Output is not escaped | ||
| #2029 | OwnerRez | 34 | 79 | 56 | 700 | Unsafe printing function | ||
| #2030 | MW Font Changer | 34 | 463 | 75 | 7k+ | Text Domain Mismatch | ||
| #2031 | Payoneer Checkout | 34 | 168 | 41 | 5k+ | Exception output is not escaped | ||
| #2032 | PDF Invoices and Packing Slips For WooCommerce | 34 | 108 | 284 | 1k+ | Non-prefixed global variable | ||
| #2033 | المنتور فارسی | 34 | 52 | 50 | 40k+ | curl curl setopt | ||
| #2034 | PhonePe Payment Solutions | 34 | 77 | 106 | 10k+ | Missing direct file access protection | ||
| #2035 | Podigee WordPress Quick Publish – now with Gutenberg support! | 34 | 108 | 95 | 700 | Text Domain Mismatch | ||
| #2036 | Progress Bar & Skill Bar | 34 | 175 | 179 | 1k+ | Non Singular String Literal Domain | ||
| #2037 | PushEngage – Web Push Notifications, WooCommerce Automation & Chat Widget | 34 | 46 | 298 | 9k+ | Missing nonce verification | ||
| #2038 | PW WooCommerce Bulk Edit | 34 | 219 | 149 | 20k+ | Unsafe printing function | ||
| #2039 | QuadLayers Telegram Button | 34 | 149 | 71 | 1k+ | Text Domain Mismatch | ||
| #2040 | Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers | 34 | 261 | 863 | 20k+ | Non-prefixed global variable | ||
| #2041 | RaraTheme Companion | 34 | 430 | 71 | 10k+ | Output is not escaped | ||
| #2042 | Redirection | 34 | 32 | 294 | 2m+ | Non-prefixed class | ||
| #2043 | Event Timeline – Vertical Timeline | 34 | 26 | 684 | 1k+ | Non-prefixed global variable | ||
| #2044 | RTMKit | 34 | 10 | 380 | 50k+ | Non-prefixed global variable | ||
| #2045 | RTMForm Builder | 34 | 188 | 209 | 30k+ | Text Domain Mismatch | ||
| #2046 | Route ‑ Shipping Protection | 34 | 66 | 150 | 500 | Missing nonce verification | ||
| #2047 | Saphali Woocommerce Lite | 34 | 376 | 313 | 10k+ | Non-prefixed global variable | ||
| #2048 | Search Engine Insights for Google Search Console | 34 | 174 | 113 | 2k+ | Output is not escaped | ||
| #2049 | Search Meter | 34 | 191 | 94 | 20k+ | Output is not escaped | ||
| #2050 | Security Safe | 34 | 193 | 164 | 700 | Missing Translators Comment |